4730c05976b18848b794f818ecd35f7e6707b38c
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-04-21  Filip Pizlo  <fpizlo@apple.com>
2
3         DFG should allow Phantoms after terminals
4         https://bugs.webkit.org/show_bug.cgi?id=126778
5
6         Reviewed by Mark Lam.
7         
8         It's important for us to be able to place liveness-marking nodes after nodes that do
9         things. These liveness-marking nodes are nops. Previously, we disallowed such nodes after
10         terminals. That made things awkward, especially for Switch and Branch, which may do
11         things that necessitate liveness markers (for example they might want to use a converted
12         version of a value rather than the value that was MovHinted). We previously made this
13         work by disallowing certain optimizations on Switch and Branch, which was probably a bad
14         thing.
15         
16         This changes our IR to allow for the terminal to not be the last node in a block. Asking
17         for the terminal involves a search. DFG::validate() checks that the nodes after the
18         terminal are liveness markers that have no effects or checks.
19         
20         This is perf-neutral but will allow more optimizations in the future. It will also make
21         it cleaner to fix https://bugs.webkit.org/show_bug.cgi?id=143735.
22
23         * dfg/DFGBasicBlock.cpp:
24         (JSC::DFG::BasicBlock::replaceTerminal):
25         * dfg/DFGBasicBlock.h:
26         (JSC::DFG::BasicBlock::findTerminal):
27         (JSC::DFG::BasicBlock::terminal):
28         (JSC::DFG::BasicBlock::insertBeforeTerminal):
29         (JSC::DFG::BasicBlock::numSuccessors):
30         (JSC::DFG::BasicBlock::successor):
31         (JSC::DFG::BasicBlock::successorForCondition):
32         (JSC::DFG::BasicBlock::successors):
33         (JSC::DFG::BasicBlock::last): Deleted.
34         (JSC::DFG::BasicBlock::takeLast): Deleted.
35         (JSC::DFG::BasicBlock::insertBeforeLast): Deleted.
36         (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable): Deleted.
37         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator): Deleted.
38         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*): Deleted.
39         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++): Deleted.
40         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==): Deleted.
41         (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=): Deleted.
42         (JSC::DFG::BasicBlock::SuccessorsIterable::begin): Deleted.
43         (JSC::DFG::BasicBlock::SuccessorsIterable::end): Deleted.
44         * dfg/DFGBasicBlockInlines.h:
45         (JSC::DFG::BasicBlock::appendNonTerminal):
46         (JSC::DFG::BasicBlock::replaceTerminal):
47         * dfg/DFGByteCodeParser.cpp:
48         (JSC::DFG::ByteCodeParser::addToGraph):
49         (JSC::DFG::ByteCodeParser::inlineCall):
50         (JSC::DFG::ByteCodeParser::handleInlining):
51         (JSC::DFG::ByteCodeParser::parseBlock):
52         (JSC::DFG::ByteCodeParser::linkBlock):
53         (JSC::DFG::ByteCodeParser::parseCodeBlock):
54         * dfg/DFGCFGSimplificationPhase.cpp:
55         (JSC::DFG::CFGSimplificationPhase::run):
56         (JSC::DFG::CFGSimplificationPhase::convertToJump):
57         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
58         * dfg/DFGCPSRethreadingPhase.cpp:
59         (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
60         * dfg/DFGCommon.h:
61         (JSC::DFG::NodeAndIndex::NodeAndIndex):
62         (JSC::DFG::NodeAndIndex::operator!):
63         * dfg/DFGFixupPhase.cpp:
64         (JSC::DFG::FixupPhase::fixupBlock):
65         (JSC::DFG::FixupPhase::fixupNode):
66         (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
67         (JSC::DFG::FixupPhase::clearPhantomsAtEnd): Deleted.
68         * dfg/DFGForAllKills.h:
69         (JSC::DFG::forAllLiveNodesAtTail):
70         * dfg/DFGGraph.cpp:
71         (JSC::DFG::Graph::terminalsAreValid):
72         (JSC::DFG::Graph::dumpBlockHeader):
73         * dfg/DFGGraph.h:
74         * dfg/DFGInPlaceAbstractState.cpp:
75         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
76         * dfg/DFGLICMPhase.cpp:
77         (JSC::DFG::LICMPhase::run):
78         (JSC::DFG::LICMPhase::attemptHoist):
79         * dfg/DFGMovHintRemovalPhase.cpp:
80         * dfg/DFGNode.h:
81         (JSC::DFG::Node::SuccessorsIterable::SuccessorsIterable):
82         (JSC::DFG::Node::SuccessorsIterable::iterator::iterator):
83         (JSC::DFG::Node::SuccessorsIterable::iterator::operator*):
84         (JSC::DFG::Node::SuccessorsIterable::iterator::operator++):
85         (JSC::DFG::Node::SuccessorsIterable::iterator::operator==):
86         (JSC::DFG::Node::SuccessorsIterable::iterator::operator!=):
87         (JSC::DFG::Node::SuccessorsIterable::begin):
88         (JSC::DFG::Node::SuccessorsIterable::end):
89         (JSC::DFG::Node::successors):
90         * dfg/DFGObjectAllocationSinkingPhase.cpp:
91         (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
92         (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
93         (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
94         * dfg/DFGPhantomRemovalPhase.cpp:
95         (JSC::DFG::PhantomRemovalPhase::run):
96         * dfg/DFGPutStackSinkingPhase.cpp:
97         * dfg/DFGSSAConversionPhase.cpp:
98         (JSC::DFG::SSAConversionPhase::run):
99         * dfg/DFGSpeculativeJIT.h:
100         (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
101         * dfg/DFGSpeculativeJIT32_64.cpp:
102         (JSC::DFG::SpeculativeJIT::compile):
103         * dfg/DFGSpeculativeJIT64.cpp:
104         (JSC::DFG::SpeculativeJIT::compile):
105         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
106         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
107         * dfg/DFGTierUpCheckInjectionPhase.cpp:
108         (JSC::DFG::TierUpCheckInjectionPhase::run):
109         * dfg/DFGValidate.cpp:
110         (JSC::DFG::Validate::validate):
111         * ftl/FTLLowerDFGToLLVM.cpp:
112         (JSC::FTL::LowerDFGToLLVM::compileNode):
113         * tests/stress/closure-call-exit.js: Added.
114         (foo):
115
116 2015-04-21  Basile Clement  <basile_clement@apple.com>
117
118         PhantomNewObject should be marked NodeMustGenerate
119         https://bugs.webkit.org/show_bug.cgi?id=143974
120
121         Reviewed by Filip Pizlo.
122
123         * dfg/DFGNode.h:
124         (JSC::DFG::Node::convertToPhantomNewObject):
125         Was not properly marking NodeMustGenerate when converting.
126
127 2015-04-21  Filip Pizlo  <fpizlo@apple.com>
128
129         DFG Call/ConstructForwardVarargs fails to restore the stack pointer
130         https://bugs.webkit.org/show_bug.cgi?id=144007
131
132         Reviewed by Mark Lam.
133         
134         We were conditioning the stack pointer restoration on isVarargs, but we also need to do it
135         if isForwardVarargs.
136
137         * dfg/DFGSpeculativeJIT32_64.cpp:
138         (JSC::DFG::SpeculativeJIT::emitCall):
139         * dfg/DFGSpeculativeJIT64.cpp:
140         (JSC::DFG::SpeculativeJIT::emitCall):
141         * tests/stress/varargs-then-slow-call.js: Added.
142         (foo):
143         (bar):
144         (fuzz):
145         (baz):
146
147 2015-04-21  Basile Clement  <basile_clement@apple.com>
148
149         Remove AllocationProfileWatchpoint node
150         https://bugs.webkit.org/show_bug.cgi?id=143999
151
152         Reviewed by Filip Pizlo.
153
154         * dfg/DFGAbstractInterpreterInlines.h:
155         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
156         * dfg/DFGByteCodeParser.cpp:
157         (JSC::DFG::ByteCodeParser::parseBlock):
158         * dfg/DFGClobberize.h:
159         (JSC::DFG::clobberize):
160         * dfg/DFGDoesGC.cpp:
161         (JSC::DFG::doesGC):
162         * dfg/DFGFixupPhase.cpp:
163         (JSC::DFG::FixupPhase::fixupNode):
164         * dfg/DFGHeapLocation.cpp:
165         (WTF::printInternal):
166         * dfg/DFGHeapLocation.h:
167         * dfg/DFGNode.h:
168         (JSC::DFG::Node::hasCellOperand):
169         * dfg/DFGNodeType.h:
170         * dfg/DFGPredictionPropagationPhase.cpp:
171         (JSC::DFG::PredictionPropagationPhase::propagate):
172         * dfg/DFGSafeToExecute.h:
173         (JSC::DFG::safeToExecute):
174         * dfg/DFGSpeculativeJIT32_64.cpp:
175         (JSC::DFG::SpeculativeJIT::compile):
176         * dfg/DFGSpeculativeJIT64.cpp:
177         (JSC::DFG::SpeculativeJIT::compile):
178         * dfg/DFGWatchpointCollectionPhase.cpp:
179         (JSC::DFG::WatchpointCollectionPhase::handle):
180         * ftl/FTLCapabilities.cpp:
181         (JSC::FTL::canCompile):
182         * ftl/FTLLowerDFGToLLVM.cpp:
183         (JSC::FTL::LowerDFGToLLVM::compileNode):
184         * runtime/JSFunction.h:
185         (JSC::JSFunction::rareData):
186         (JSC::JSFunction::allocationProfileWatchpointSet): Deleted.
187
188 2015-04-19  Filip Pizlo  <fpizlo@apple.com>
189
190         MovHint should be a strong use
191         https://bugs.webkit.org/show_bug.cgi?id=143734
192
193         Reviewed by Geoffrey Garen.
194         
195         This disables any DCE that assumes equivalence between DFG IR uses and bytecode uses. Doing
196         so is a major step towards allowing more fancy DFG transformations and also probably fixing
197         some bugs.
198         
199         Just making MovHint a strong use would also completely disable DCE. So we mitigate this by
200         introducing a MovHint removal phase that runs in FTL.
201         
202         This is a slight slowdown on Octane/gbemu, but it's basically neutral on suite averages.
203
204         * CMakeLists.txt:
205         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
206         * JavaScriptCore.xcodeproj/project.pbxproj:
207         * bytecode/CodeOrigin.cpp:
208         (JSC::InlineCallFrame::dumpInContext):
209         * dfg/DFGDCEPhase.cpp:
210         (JSC::DFG::DCEPhase::fixupBlock):
211         * dfg/DFGDisassembler.cpp:
212         (JSC::DFG::Disassembler::createDumpList):
213         * dfg/DFGEpoch.cpp: Added.
214         (JSC::DFG::Epoch::dump):
215         * dfg/DFGEpoch.h: Added.
216         (JSC::DFG::Epoch::Epoch):
217         (JSC::DFG::Epoch::first):
218         (JSC::DFG::Epoch::operator!):
219         (JSC::DFG::Epoch::next):
220         (JSC::DFG::Epoch::bump):
221         (JSC::DFG::Epoch::operator==):
222         (JSC::DFG::Epoch::operator!=):
223         * dfg/DFGMayExit.cpp:
224         (JSC::DFG::mayExit):
225         * dfg/DFGMovHintRemovalPhase.cpp: Added.
226         (JSC::DFG::performMovHintRemoval):
227         * dfg/DFGMovHintRemovalPhase.h: Added.
228         * dfg/DFGNodeType.h:
229         * dfg/DFGPlan.cpp:
230         (JSC::DFG::Plan::compileInThreadImpl):
231         * dfg/DFGSpeculativeJIT.cpp:
232         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
233         * dfg/DFGSpeculativeJIT64.cpp:
234         (JSC::DFG::SpeculativeJIT::compile):
235         * runtime/Options.h:
236
237 2015-04-21  Basile Clement  <basile_clement@apple.com>
238
239         REGRESSION (r182899): icloud.com crashes
240         https://bugs.webkit.org/show_bug.cgi?id=143960
241
242         Reviewed by Filip Pizlo.
243
244         * runtime/JSFunction.h:
245         (JSC::JSFunction::allocationStructure):
246         * tests/stress/dfg-rare-data.js: Added.
247         (F): Regression test
248
249 2015-04-21  Michael Saboff  <msaboff@apple.com>
250
251         Crash in JSC::Interpreter::execute
252         https://bugs.webkit.org/show_bug.cgi?id=142625
253
254         Reviewed by Filip Pizlo.
255
256         We need to keep the FunctionExecutables in the code block for the eval flavor of 
257         Interpreter::execute() in order to create the scope used to eval.
258
259         * bytecode/CodeBlock.cpp:
260         (JSC::CodeBlock::jettisonFunctionDeclsAndExprs): Deleted.
261         * bytecode/CodeBlock.h:
262         * dfg/DFGGraph.cpp:
263         (JSC::DFG::Graph::registerFrozenValues):
264
265 2015-04-21  Chris Dumez  <cdumez@apple.com>
266
267         Make Vector(const Vector<T, otherCapacity, otherOverflowBehaviour>&) constructor explicit
268         https://bugs.webkit.org/show_bug.cgi?id=143970
269
270         Reviewed by Darin Adler.
271
272         Make Vector(const Vector<T, otherCapacity, otherOverflowBehaviour>&)
273         constructor explicit as it copies the vector and it is easy to call it
274         by mistake.
275
276         * bytecode/UnlinkedInstructionStream.cpp:
277         (JSC::UnlinkedInstructionStream::UnlinkedInstructionStream):
278         * bytecode/UnlinkedInstructionStream.h:
279         * ftl/FTLLowerDFGToLLVM.cpp:
280         (JSC::FTL::LowerDFGToLLVM::lower):
281
282 2015-04-20  Basile Clement  <basile_clement@apple.com>
283
284         PhantomNewObject should be marked NodeMustGenerate
285         https://bugs.webkit.org/show_bug.cgi?id=143974
286
287         Reviewed by Filip Pizlo.
288
289         * dfg/DFGNodeType.h: Mark PhantomNewObject as NodeMustGenerate
290
291 2015-04-20  Joseph Pecoraro  <pecoraro@apple.com>
292
293         Cleanup some StringBuilder use
294         https://bugs.webkit.org/show_bug.cgi?id=143550
295
296         Reviewed by Darin Adler.
297
298         * runtime/Symbol.cpp:
299         (JSC::Symbol::descriptiveString):
300         * runtime/TypeProfiler.cpp:
301         (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
302         * runtime/TypeSet.cpp:
303         (JSC::TypeSet::toJSONString):
304         (JSC::StructureShape::propertyHash):
305         (JSC::StructureShape::stringRepresentation):
306         (JSC::StructureShape::toJSONString):
307
308 2015-04-20  Mark Lam  <mark.lam@apple.com>
309
310         Add debugging tools to test if a given pointer is a valid object and in the heap.
311         https://bugs.webkit.org/show_bug.cgi?id=143910
312
313         Reviewed by Geoffrey Garen.
314
315         When doing debugging from lldb, sometimes, it is useful to be able to tell if a
316         purported JSObject is really a valid object in the heap or not.  We can add the
317         following utility functions to help:
318             isValidCell(heap, candidate) - returns true if the candidate is a "live" cell in the heap.
319             isInHeap(heap, candidate) - returns true if the candidate is the heap's Object space or Storage space.
320             isInObjectSpace(heap, candidate) - returns true if the candidate is the heap's Object space.
321             isInStorageSpace(heap, candidate) - returns true if the candidate is the heap's Storage space.
322
323         Also moved lldb callable debug utility function prototypes from
324         JSDollarVMPrototype.cpp to JSDollarVMPrototype.h as static members of the
325         JSDollarVMPrototype class.  This is so that we can conveniently #include that
326         file to get the prototypes when we need to call them programmatically from
327         instrumentation that we add while debugging an issue.
328
329         * heap/Heap.h:
330         (JSC::Heap::storageSpace):
331         * tools/JSDollarVMPrototype.cpp:
332         (JSC::JSDollarVMPrototype::currentThreadOwnsJSLock):
333         (JSC::ensureCurrentThreadOwnsJSLock):
334         (JSC::JSDollarVMPrototype::gc):
335         (JSC::functionGC):
336         (JSC::JSDollarVMPrototype::edenGC):
337         (JSC::functionEdenGC):
338         (JSC::JSDollarVMPrototype::isInHeap):
339         (JSC::JSDollarVMPrototype::isInObjectSpace):
340         (JSC::JSDollarVMPrototype::isInStorageSpace):
341         (JSC::ObjectAddressCheckFunctor::ObjectAddressCheckFunctor):
342         (JSC::ObjectAddressCheckFunctor::operator()):
343         (JSC::JSDollarVMPrototype::isValidCell):
344         (JSC::JSDollarVMPrototype::isValidCodeBlock):
345         (JSC::JSDollarVMPrototype::codeBlockForFrame):
346         (JSC::functionCodeBlockForFrame):
347         (JSC::codeBlockFromArg):
348         (JSC::JSDollarVMPrototype::printCallFrame):
349         (JSC::JSDollarVMPrototype::printStack):
350         (JSC::JSDollarVMPrototype::printValue):
351         (JSC::currentThreadOwnsJSLock): Deleted.
352         (JSC::gc): Deleted.
353         (JSC::edenGC): Deleted.
354         (JSC::isValidCodeBlock): Deleted.
355         (JSC::codeBlockForFrame): Deleted.
356         (JSC::printCallFrame): Deleted.
357         (JSC::printStack): Deleted.
358         (JSC::printValue): Deleted.
359         * tools/JSDollarVMPrototype.h:
360
361 2015-04-20  Joseph Pecoraro  <pecoraro@apple.com>
362
363         Web Inspector: Improve Support for WeakSet in Console
364         https://bugs.webkit.org/show_bug.cgi?id=143951
365
366         Reviewed by Darin Adler.
367
368         * inspector/InjectedScriptSource.js:
369         * inspector/JSInjectedScriptHost.cpp:
370         (Inspector::JSInjectedScriptHost::subtype):
371         (Inspector::JSInjectedScriptHost::weakSetSize):
372         (Inspector::JSInjectedScriptHost::weakSetEntries):
373         * inspector/JSInjectedScriptHost.h:
374         * inspector/JSInjectedScriptHostPrototype.cpp:
375         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
376         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize):
377         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries):
378         Treat WeakSets like special sets.
379
380         * inspector/protocol/Runtime.json:
381         Add a new object subtype, "weakset".
382
383 2015-04-20  Yusuke Suzuki  <utatane.tea@gmail.com>
384
385         HashMap storing PropertyKey StringImpl* need to use IdentifierRepHash to handle Symbols
386         https://bugs.webkit.org/show_bug.cgi?id=143947
387
388         Reviewed by Darin Adler.
389
390         Type profiler has map between PropertyKey (StringImpl*) and offset.
391         StringImpl* is also used for Symbol PropertyKey.
392         So equality of hash tables is considered by interned StringImpl*'s pointer value.
393         To do so, use IdentifierRepHash instead of StringHash.
394
395         * runtime/SymbolTable.h:
396
397 2015-04-20  Jordan Harband  <ljharb@gmail.com>
398
399         Implement `Object.is`
400         https://bugs.webkit.org/show_bug.cgi?id=143865
401
402         Reviewed by Darin Adler.
403
404         Expose sameValue to JS, via Object.is
405         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.is
406
407         * runtime/ObjectConstructor.cpp:
408         (JSC::objectConstructorIs):
409         * runtime/PropertyDescriptor.cpp:
410         (JSC::sameValue):
411
412 2015-04-19  Darin Adler  <darin@apple.com>
413
414         Remove all the remaining uses of OwnPtr and PassOwnPtr in JavaScriptCore
415         https://bugs.webkit.org/show_bug.cgi?id=143941
416
417         Reviewed by Gyuyoung Kim.
418
419         * API/JSCallbackObject.h: Use unique_ptr for m_callbackObjectData.
420         * API/JSCallbackObjectFunctions.h: Ditto.
421
422         * API/ObjCCallbackFunction.h: Use unique_ptr for the arguments to the
423         create function and the constructor and for m_impl.
424         * API/ObjCCallbackFunction.mm:
425         (CallbackArgumentOfClass::CallbackArgumentOfClass): Streamline this
426         class by using RetainPtr<Class>.
427         (ArgumentTypeDelegate::typeInteger): Use make_unique.
428         (ArgumentTypeDelegate::typeDouble): Ditto.
429         (ArgumentTypeDelegate::typeBool): Ditto.
430         (ArgumentTypeDelegate::typeVoid): Ditto.
431         (ArgumentTypeDelegate::typeId): Ditto.
432         (ArgumentTypeDelegate::typeOfClass): Ditto.
433         (ArgumentTypeDelegate::typeBlock): Ditto.
434         (ArgumentTypeDelegate::typeStruct): Ditto.
435         (ResultTypeDelegate::typeInteger): Ditto.
436         (ResultTypeDelegate::typeDouble): Ditto.
437         (ResultTypeDelegate::typeBool): Ditto.
438         (ResultTypeDelegate::typeVoid): Ditto.
439         (ResultTypeDelegate::typeId): Ditto.
440         (ResultTypeDelegate::typeOfClass): Ditto.
441         (ResultTypeDelegate::typeBlock): Ditto.
442         (ResultTypeDelegate::typeStruct): Ditto.
443         (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl): Use
444         unique_ptr for the arguments to the constructor, m_arguments, and m_result.
445         Use RetainPtr<Class> for m_instanceClass.
446         (JSC::objCCallbackFunctionCallAsConstructor): Use nullptr instead of nil or 0
447         for non-Objective-C object pointer null.
448         (JSC::ObjCCallbackFunction::ObjCCallbackFunction): Use unique_ptr for
449         the arguments to the constructor and for m_impl.
450         (JSC::ObjCCallbackFunction::create): Use unique_ptr for arguments.
451         (skipNumber): Mark this static since it's local to this source file.
452         (objCCallbackFunctionForInvocation): Call parseObjCType without doing any
453         explicit adoptPtr since the types in the traits are now unique_ptr. Also use
454         nullptr instead of nil for JSObjectRef values.
455         (objCCallbackFunctionForMethod): Tweaked comment.
456         (objCCallbackFunctionForBlock): Use nullptr instead of 0 for JSObjectRef.
457
458         * bytecode/CallLinkInfo.h: Removed unneeded include of OwnPtr.h.
459
460         * heap/GCThread.cpp:
461         (JSC::GCThread::GCThread): Use unique_ptr.
462         * heap/GCThread.h: Use unique_ptr for arguments to the constructor and for
463         m_slotVisitor and m_copyVisitor.
464         * heap/GCThreadSharedData.cpp:
465         (JSC::GCThreadSharedData::GCThreadSharedData): Ditto.
466
467         * parser/SourceProvider.h: Removed unneeded include of PassOwnPtr.h.
468
469 2015-04-19  Benjamin Poulain  <benjamin@webkit.org>
470
471         Improve the feature.json files
472
473         * features.json:
474
475 2015-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
476
477         Introduce bytecode intrinsics
478         https://bugs.webkit.org/show_bug.cgi?id=143926
479
480         Reviewed by Filip Pizlo.
481
482         This patch introduces bytecode level intrinsics into builtins/*.js JS code.
483         When implementing functions in builtins/*.js,
484         sometimes we require lower level functionality.
485
486         For example, in the current Array.from, we use `result[k] = value`.
487         The spec requires `[[DefineOwnProperty]]` operation here.
488         However, usual `result[k] = value` is evaluated as `[[Set]]`. (`PutValue` => `[[Set]]`)
489         So if we implement `Array.prototype[k]` getter/setter, the difference is observable.
490
491         Ideally, reaching here, we would like to use put_by_val_direct bytecode.
492         However, there's no syntax to generate it directly.
493
494         This patch introduces bytecode level intrinsics into JSC BytecodeCompiler.
495         Like @call, @apply, we introduce a new node, Intrinsic.
496         These are generated when calling appropriate private symbols in privileged code.
497         AST parser detects them and generates Intrinsic nodes and
498         BytecodeCompiler detects them and generate required bytecodes.
499
500         Currently, Array.from implementation works fine without this patch.
501         This is because when the target code is builtin JS,
502         BytecodeGenerator emits put_by_val_direct instead of put_by_val.
503         This solves the above issue. However, instead of solving this issue,
504         it raises another issue; There's no way to emit `[[Set]]` operation.
505         `[[Set]]` operation is actually used in the spec (Array.from's "length" is set by `[[Set]]`).
506         So to implement it precisely, introducing bytecode level intrinsics is necessary.
507
508         In the subsequent fixes, we'll remove that special path emitting put_by_val_direct
509         for `result[k] = value` under builtin JS environment. Instead of that special handling,
510         use bytecode intrinsics instead. It solves problems and it is more intuitive
511         because written JS code in builtin works as the same to the usual JS code.
512
513         * CMakeLists.txt:
514         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
515         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
516         * JavaScriptCore.xcodeproj/project.pbxproj:
517         * builtins/ArrayConstructor.js:
518         (from):
519         * bytecode/BytecodeIntrinsicRegistry.cpp: Added.
520         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
521         (JSC::BytecodeIntrinsicRegistry::lookup):
522         * bytecode/BytecodeIntrinsicRegistry.h: Added.
523         * bytecompiler/NodesCodegen.cpp:
524         (JSC::BytecodeIntrinsicNode::emitBytecode):
525         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
526         * parser/ASTBuilder.h:
527         (JSC::ASTBuilder::makeFunctionCallNode):
528         * parser/NodeConstructors.h:
529         (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
530         * parser/Nodes.h:
531         (JSC::BytecodeIntrinsicNode::identifier):
532         * runtime/CommonIdentifiers.cpp:
533         (JSC::CommonIdentifiers::CommonIdentifiers):
534         * runtime/CommonIdentifiers.h:
535         (JSC::CommonIdentifiers::bytecodeIntrinsicRegistry):
536         * tests/stress/array-from-with-accessors.js: Added.
537         (shouldBe):
538
539 2015-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
540
541         Make Builtin functions non constructible
542         https://bugs.webkit.org/show_bug.cgi?id=143923
543
544         Reviewed by Darin Adler.
545
546         Builtin functions defined by builtins/*.js accidentally have [[Construct]].
547         According to the spec, these functions except for explicitly defined as a constructor do not have [[Construct]].
548         This patch fixes it. When the JS function used for a construction is builtin function, throw not a constructor error.
549
550         Ideally, returning ConstructTypeNone in JSFunction::getConstructData is enough.
551         However, to avoid calling getConstructData (it involves indirect call of function pointer of getConstructData), some places do not check ConstructType.
552         In these places, they only check the target function is JSFunction because previously JSFunction always has [[Construct]].
553         So in this patch, we check `isBuiltinFunction()` in those places.
554
555         * dfg/DFGByteCodeParser.cpp:
556         (JSC::DFG::ByteCodeParser::inliningCost):
557         * jit/JITOperations.cpp:
558         * llint/LLIntSlowPaths.cpp:
559         (JSC::LLInt::setUpCall):
560         * runtime/JSFunction.cpp:
561         (JSC::JSFunction::getConstructData):
562         * tests/stress/builtin-function-is-construct-type-none.js: Added.
563         (shouldThrow):
564
565 2015-04-19  Yusuke Suzuki  <utatane.tea@gmail.com>
566
567         [ES6] Implement WeakSet
568         https://bugs.webkit.org/show_bug.cgi?id=142408
569
570         Reviewed by Darin Adler.
571
572         This patch implements ES6 WeakSet.
573         Current implementation simply leverages WeakMapData with undefined value.
574         This WeakMapData should be optimized in the same manner as MapData/SetData in the subsequent patch[1].
575
576         And in this patch, we also fix WeakMap/WeakSet behavior to conform the ES6 spec.
577         Except for adders (WeakMap.prototype.set/WeakSet.prototype.add),
578         methods return false (or undefined for WeakMap.prototype.get)
579         when a key is not Object instead of throwing a type error.
580
581         [1]: https://bugs.webkit.org/show_bug.cgi?id=143919
582
583         * CMakeLists.txt:
584         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
585         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
586         * JavaScriptCore.xcodeproj/project.pbxproj:
587         * runtime/CommonIdentifiers.h:
588         * runtime/JSGlobalObject.cpp:
589         * runtime/JSGlobalObject.h:
590         * runtime/JSWeakSet.cpp: Added.
591         (JSC::JSWeakSet::finishCreation):
592         (JSC::JSWeakSet::visitChildren):
593         * runtime/JSWeakSet.h: Added.
594         (JSC::JSWeakSet::createStructure):
595         (JSC::JSWeakSet::create):
596         (JSC::JSWeakSet::weakMapData):
597         (JSC::JSWeakSet::JSWeakSet):
598         * runtime/WeakMapPrototype.cpp:
599         (JSC::getWeakMapData):
600         (JSC::protoFuncWeakMapDelete):
601         (JSC::protoFuncWeakMapGet):
602         (JSC::protoFuncWeakMapHas):
603         * runtime/WeakSetConstructor.cpp: Added.
604         (JSC::WeakSetConstructor::finishCreation):
605         (JSC::callWeakSet):
606         (JSC::constructWeakSet):
607         (JSC::WeakSetConstructor::getConstructData):
608         (JSC::WeakSetConstructor::getCallData):
609         * runtime/WeakSetConstructor.h: Added.
610         (JSC::WeakSetConstructor::create):
611         (JSC::WeakSetConstructor::createStructure):
612         (JSC::WeakSetConstructor::WeakSetConstructor):
613         * runtime/WeakSetPrototype.cpp: Added.
614         (JSC::WeakSetPrototype::finishCreation):
615         (JSC::getWeakMapData):
616         (JSC::protoFuncWeakSetDelete):
617         (JSC::protoFuncWeakSetHas):
618         (JSC::protoFuncWeakSetAdd):
619         * runtime/WeakSetPrototype.h: Added.
620         (JSC::WeakSetPrototype::create):
621         (JSC::WeakSetPrototype::createStructure):
622         (JSC::WeakSetPrototype::WeakSetPrototype):
623         * tests/stress/weak-set-constructor-adder.js: Added.
624         (WeakSet.prototype.add):
625         * tests/stress/weak-set-constructor.js: Added.
626
627 2015-04-17  Alexey Proskuryakov  <ap@apple.com>
628
629         Remove unused BoundsCheckedPointer
630         https://bugs.webkit.org/show_bug.cgi?id=143896
631
632         Reviewed by Geoffrey Garen.
633
634         * bytecode/SpeculatedType.cpp: The header was included here.
635
636 2015-04-17  Yusuke Suzuki  <utatane.tea@gmail.com>
637
638         [ES6] Fix name enumeration of static functions for Symbol constructor
639         https://bugs.webkit.org/show_bug.cgi?id=143891
640
641         Reviewed by Geoffrey Garen.
642
643         Fix missing symbolPrototypeTable registration to the js class object.
644         This patch fixes name enumeration of static functions (Symbol.key, Symbol.keyFor) for Symbol constructor.
645
646         * runtime/SymbolConstructor.cpp:
647
648 2015-04-17  Basile Clement  <basile_clement@apple.com>
649
650         Inline JSFunction allocation in DFG
651         https://bugs.webkit.org/show_bug.cgi?id=143858
652
653         Reviewed by Filip Pizlo.
654
655         Followup to my previous patch which inlines JSFunction allocation when
656         using FTL, now also enabled in DFG.
657
658         * dfg/DFGSpeculativeJIT.cpp:
659         (JSC::DFG::SpeculativeJIT::compileNewFunction):
660
661 2015-04-16  Jordan Harband  <ljharb@gmail.com>
662
663         Number.parseInt is not === global parseInt in nightly r182673
664         https://bugs.webkit.org/show_bug.cgi?id=143799
665
666         Reviewed by Darin Adler.
667
668         Ensuring parseInt === Number.parseInt, per spec
669         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint
670
671         * runtime/CommonIdentifiers.h:
672         * runtime/JSGlobalObject.cpp:
673         (JSC::JSGlobalObject::init):
674         * runtime/JSGlobalObject.h:
675         (JSC::JSGlobalObject::parseIntFunction):
676         * runtime/NumberConstructor.cpp:
677         (JSC::NumberConstructor::finishCreation):
678
679 2015-04-16  Mark Lam  <mark.lam@apple.com>
680
681         Gardening: fix CLOOP build after r182927.
682
683         Not reviewed.
684
685         * interpreter/StackVisitor.cpp:
686         (JSC::StackVisitor::Frame::print):
687
688 2015-04-16  Basile Clement  <basile_clement@apple.com>
689
690         Inline JSFunction allocation in FTL
691         https://bugs.webkit.org/show_bug.cgi?id=143851
692
693         Reviewed by Filip Pizlo.
694
695         JSFunction allocation is a simple operation that should be inlined when possible.
696
697         * ftl/FTLAbstractHeapRepository.h:
698         * ftl/FTLLowerDFGToLLVM.cpp:
699         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
700         * runtime/JSFunction.h:
701         (JSC::JSFunction::allocationSize):
702
703 2015-04-16  Mark Lam  <mark.lam@apple.com>
704
705         Add $vm debugging tool.
706         https://bugs.webkit.org/show_bug.cgi?id=143809
707
708         Reviewed by Geoffrey Garen.
709
710         For debugging VM bugs, it would be useful to be able to dump VM data structures
711         from JS code that we instrument.  To this end, let's introduce a
712         JS_enableDollarVM option that, if true, installs an $vm property into each JS
713         global object at creation time.  The $vm property refers to an object that
714         provides a collection of useful utility functions.  For this initial
715         implementation, $vm will have the following:
716
717             crash() - trigger an intentional crash.
718
719             dfgTrue() - returns true if the current function is DFG compiled, else returns false.
720             jitTrue() - returns true if the current function is compiled by the baseline JIT, else returns false.
721             llintTrue() - returns true if the current function is interpreted by the LLINT, else returns false.
722
723             gc() - runs a full GC.
724             edenGC() - runs an eden GC.
725
726             codeBlockForFrame(frameNumber) - gets the codeBlock at the specified frame (0 = current, 1 = caller, etc).
727             printSourceFor(codeBlock) - prints the source code for the codeBlock.
728             printByteCodeFor(codeBlock) - prints the bytecode for the codeBlock.
729
730             print(str) - prints a string to dataLog output.
731             printCallFrame() - prints the current CallFrame.
732             printStack() - prints the JS stack.
733             printInternal(value) - prints the JSC internal info for the specified value.
734
735         With JS_enableDollarVM=true, JS code can use the above functions like so:
736
737             $vm.print("Using $vm features\n");
738
739         * CMakeLists.txt:
740         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
741         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
742         * JavaScriptCore.xcodeproj/project.pbxproj:
743         * bytecode/CodeBlock.cpp:
744         (JSC::CodeBlock::printCallOp):
745         - FTL compiled functions don't like it when we try to compute the CallLinkStatus.
746           Hence, we skip this step if we're dumping an FTL codeBlock.
747
748         * heap/Heap.cpp:
749         (JSC::Heap::collectAndSweep):
750         (JSC::Heap::collectAllGarbage): Deleted.
751         * heap/Heap.h:
752         (JSC::Heap::collectAllGarbage):
753         - Add ability to do an Eden collection and sweep.
754
755         * interpreter/StackVisitor.cpp:
756         (JSC::printIndents):
757         (JSC::log):
758         (JSC::logF):
759         (JSC::StackVisitor::Frame::print):
760         (JSC::jitTypeName): Deleted.
761         (JSC::printif): Deleted.
762         - Modernize the implementation of StackVisitor::Frame::print(), and remove some
763           now redundant code.
764         - Also fix it so that it downgrades gracefully when encountering inlined DFG
765           and compiled FTL functions.
766
767         (DebugPrintFrameFunctor::DebugPrintFrameFunctor): Deleted.
768         (DebugPrintFrameFunctor::operator()): Deleted.
769         (debugPrintCallFrame): Deleted.
770         (debugPrintStack): Deleted.
771         - these have been moved into JSDollarVMPrototype.cpp. 
772
773         * interpreter/StackVisitor.h:
774         - StackVisitor::Frame::print() is now enabled for release builds as well so that
775           we can call it from $vm.
776
777         * runtime/JSGlobalObject.cpp:
778         (JSC::JSGlobalObject::init):
779         (JSC::JSGlobalObject::visitChildren):
780         * runtime/JSGlobalObject.h:
781         - Added the $vm instance to global objects conditional on the JSC_enableDollarVM
782           option.
783
784         * runtime/Options.h:
785         - Added the JSC_enableDollarVM option.
786
787         * tools/JSDollarVM.cpp: Added.
788         * tools/JSDollarVM.h: Added.
789         (JSC::JSDollarVM::createStructure):
790         (JSC::JSDollarVM::create):
791         (JSC::JSDollarVM::JSDollarVM):
792
793         * tools/JSDollarVMPrototype.cpp: Added.
794         - This file contains 2 sets of functions:
795
796           a. a C++ implementation of debugging utility functions that are callable when
797              doing debugging from lldb.  To the extent possible, these functions try to
798              be cautious and not cause unintended crashes should the user call them with
799              the wrong info.  Hence, they are designed to be robust rather than speedy.
800
801           b. the native implementations of JS functions in the $vm object.  Where there
802              is overlapping functionality, these are built on top of the C++ functions
803              above to do the work.
804
805           Note: it does not make sense for all of the $vm functions to have a C++
806           counterpart for lldb debugging.  For example, the $vm.dfgTrue() function is
807           only useful for JS code, and works via the DFG intrinsics mechanism.
808           When doing debugging via lldb, the optimization level of the currently
809           executing JS function can be gotten by dumping the current CallFrame instead.
810
811         (JSC::currentThreadOwnsJSLock):
812         (JSC::ensureCurrentThreadOwnsJSLock):
813         (JSC::JSDollarVMPrototype::addFunction):
814         (JSC::functionCrash): - $vm.crash()
815         (JSC::functionDFGTrue): - $vm.dfgTrue()
816         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
817         (JSC::CallerFrameJITTypeFunctor::operator()):
818         (JSC::CallerFrameJITTypeFunctor::jitType):
819         (JSC::functionLLintTrue): - $vm.llintTrue()
820         (JSC::functionJITTrue): - $vm.jitTrue()
821         (JSC::gc):
822         (JSC::functionGC): - $vm.gc()
823         (JSC::edenGC):
824         (JSC::functionEdenGC): - $vm.edenGC()
825         (JSC::isValidCodeBlock):
826         (JSC::codeBlockForFrame):
827         (JSC::functionCodeBlockForFrame): - $vm.codeBlockForFrame(frameNumber)
828         (JSC::codeBlockFromArg):
829         (JSC::functionPrintSourceFor): - $vm.printSourceFor(codeBlock)
830         (JSC::functionPrintByteCodeFor): - $vm.printBytecodeFor(codeBlock)
831         (JSC::functionPrint): - $vm.print(str)
832         (JSC::PrintFrameFunctor::PrintFrameFunctor):
833         (JSC::PrintFrameFunctor::operator()):
834         (JSC::printCallFrame):
835         (JSC::printStack):
836         (JSC::functionPrintCallFrame): - $vm.printCallFrame()
837         (JSC::functionPrintStack): - $vm.printStack()
838         (JSC::printValue):
839         (JSC::functionPrintValue): - $vm.printValue()
840         (JSC::JSDollarVMPrototype::finishCreation):
841         * tools/JSDollarVMPrototype.h: Added.
842         (JSC::JSDollarVMPrototype::create):
843         (JSC::JSDollarVMPrototype::createStructure):
844         (JSC::JSDollarVMPrototype::JSDollarVMPrototype):
845
846 2015-04-16  Geoffrey Garen  <ggaren@apple.com>
847
848         Speculative fix after r182915
849         https://bugs.webkit.org/show_bug.cgi?id=143404
850
851         Reviewed by Alexey Proskuryakov.
852
853         * runtime/SymbolConstructor.h:
854
855 2015-04-16  Mark Lam  <mark.lam@apple.com>
856
857         Fixed some typos in a comment.
858
859         Not reviewed.
860
861         * dfg/DFGGenerationInfo.h:
862
863 2015-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
864
865         [ES6] Implement Symbol.for and Symbol.keyFor
866         https://bugs.webkit.org/show_bug.cgi?id=143404
867
868         Reviewed by Geoffrey Garen.
869
870         This patch implements Symbol.for and Symbol.keyFor.
871         SymbolRegistry maintains registered StringImpl* symbols.
872         And to make this mapping enabled over realms,
873         VM owns this mapping (not JSGlobalObject).
874
875         While there's Default AtomicStringTable per thread,
876         SymbolRegistry should not exist over VMs.
877         So everytime VM is created, SymbolRegistry is also created.
878
879         In SymbolRegistry implementation, we don't leverage WeakGCMap (or weak reference design).
880         Theres are several reasons.
881         1. StringImpl* which represents identity of Symbols is not GC-managed object.
882            So we cannot use WeakGCMap directly.
883            While Symbol* is GC-managed object, holding weak reference to Symbol* doesn't maintain JS symbols (exposed primitive values to users) liveness,
884            because distinct Symbol* can exist.
885            Distinct Symbol* means the Symbol* object that pointer value (Symbol*) is different from weakly referenced Symbol* but held StringImpl* is the same.
886
887         2. We don't use WTF::WeakPtr. If we add WeakPtrFactory into StringImpl's member, we can track StringImpl*'s liveness by WeakPtr.
888            However there's problem about when we prune staled entries in SymbolRegistry.
889            Since the memory allocated for the Symbol is typically occupied by allocated symbolized StringImpl*'s content,
890            and it is not in GC-heap.
891            While heavily registering Symbols and storing StringImpl* into SymbolRegistry, Heap's EdenSpace is not so occupied.
892            So GC typically attempt to perform EdenCollection, and it doesn't call WeakGCMap's pruleStaleEntries callback.
893            As a result, before pruning staled entries in SymbolRegistry, fast malloc-ed memory fills up the system memory.
894
895         So instead of using Weak reference, we take relatively easy design.
896         When we register symbolized StringImpl* into SymbolRegistry, symbolized StringImpl* is aware of that.
897         And when destructing it, it removes its reference from SymbolRegistry as if atomic StringImpl do so with AtomicStringTable.
898
899         * CMakeLists.txt:
900         * DerivedSources.make:
901         * runtime/SymbolConstructor.cpp:
902         (JSC::SymbolConstructor::getOwnPropertySlot):
903         (JSC::symbolConstructorFor):
904         (JSC::symbolConstructorKeyFor):
905         * runtime/SymbolConstructor.h:
906         * runtime/VM.cpp:
907         * runtime/VM.h:
908         (JSC::VM::symbolRegistry):
909         * tests/stress/symbol-registry.js: Added.
910         (test):
911
912 2015-04-16  Yusuke Suzuki  <utatane.tea@gmail.com>
913
914         [ES6] Use specific functions for @@iterator functions
915         https://bugs.webkit.org/show_bug.cgi?id=143838
916
917         Reviewed by Geoffrey Garen.
918
919         In ES6, some methods are defined with the different names.
920
921         For example,
922
923         Map.prototype[Symbol.iterator] === Map.prototype.entries
924         Set.prototype[Symbol.iterator] === Set.prototype.values
925         Array.prototype[Symbol.iterator] === Array.prototype.values
926         %Arguments%[Symbol.iterator] === Array.prototype.values
927
928         However, current implementation creates different function objects per name.
929         This patch fixes it by setting the object that is used for the other method to @@iterator.
930         e.g. Setting Array.prototype.values function object to Array.prototype[Symbol.iterator].
931
932         And we drop Arguments' iterator implementation and replace Argument[@@iterator] implementation
933         with Array.prototype.values to conform to the spec.
934
935         * CMakeLists.txt:
936         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
937         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
938         * JavaScriptCore.xcodeproj/project.pbxproj:
939         * inspector/JSInjectedScriptHost.cpp:
940         (Inspector::JSInjectedScriptHost::subtype):
941         (Inspector::JSInjectedScriptHost::getInternalProperties):
942         (Inspector::JSInjectedScriptHost::iteratorEntries):
943         * runtime/ArgumentsIteratorConstructor.cpp: Removed.
944         * runtime/ArgumentsIteratorConstructor.h: Removed.
945         * runtime/ArgumentsIteratorPrototype.cpp: Removed.
946         * runtime/ArgumentsIteratorPrototype.h: Removed.
947         * runtime/ArrayPrototype.cpp:
948         (JSC::ArrayPrototype::finishCreation):
949         * runtime/ArrayPrototype.h:
950         * runtime/ClonedArguments.cpp:
951         (JSC::ClonedArguments::getOwnPropertySlot):
952         (JSC::ClonedArguments::put):
953         (JSC::ClonedArguments::deleteProperty):
954         (JSC::ClonedArguments::defineOwnProperty):
955         (JSC::ClonedArguments::materializeSpecials):
956         * runtime/ClonedArguments.h:
957         * runtime/CommonIdentifiers.h:
958         * runtime/DirectArguments.cpp:
959         (JSC::DirectArguments::overrideThings):
960         * runtime/GenericArgumentsInlines.h:
961         (JSC::GenericArguments<Type>::getOwnPropertySlot):
962         (JSC::GenericArguments<Type>::getOwnPropertyNames):
963         (JSC::GenericArguments<Type>::put):
964         (JSC::GenericArguments<Type>::deleteProperty):
965         (JSC::GenericArguments<Type>::defineOwnProperty):
966         * runtime/JSArgumentsIterator.cpp: Removed.
967         * runtime/JSArgumentsIterator.h: Removed.
968         * runtime/JSGlobalObject.cpp:
969         (JSC::JSGlobalObject::init):
970         (JSC::JSGlobalObject::visitChildren):
971         * runtime/JSGlobalObject.h:
972         (JSC::JSGlobalObject::arrayProtoValuesFunction):
973         * runtime/MapPrototype.cpp:
974         (JSC::MapPrototype::finishCreation):
975         * runtime/ScopedArguments.cpp:
976         (JSC::ScopedArguments::overrideThings):
977         * runtime/SetPrototype.cpp:
978         (JSC::SetPrototype::finishCreation):
979         * tests/stress/arguments-iterator.js: Added.
980         (test):
981         (testArguments):
982         * tests/stress/iterator-functions.js: Added.
983         (test):
984         (argumentsTests):
985
986 2015-04-14  Mark Lam  <mark.lam@apple.com>
987
988         Add JSC_functionOverrides=<overrides file> debugging tool.
989         https://bugs.webkit.org/show_bug.cgi?id=143717
990
991         Reviewed by Geoffrey Garen.
992
993         This tool allows us to do runtime replacement of function bodies with alternatives
994         for debugging purposes.  For example, this is useful when we need to debug VM bugs
995         which manifest in scripts executing in webpages downloaded from remote servers
996         that we don't control.  The tool allows us to augment those scripts with logging
997         or test code to help isolate the bugs.
998
999         This tool works by substituting the SourceCode at FunctionExecutable creation
1000         time.  It identifies which SourceCode to substitute by comparing the source
1001         string against keys in a set of key value pairs.
1002
1003         The keys are function body strings defined by 'override' clauses in the overrides
1004         file specified by in the JSC_functionOverrides option.  The values are function
1005         body strings defines by 'with' clauses in the overrides file.
1006         See comment blob at top of FunctionOverrides.cpp on the formatting
1007         of the overrides file.
1008
1009         At FunctionExecutable creation time, if the SourceCode string matches one of the
1010         'override' keys from the overrides file, the tool will replace the SourceCode with
1011         a new one based on the corresponding 'with' value string.  The FunctionExecutable
1012         will then be created with the new SourceCode instead.
1013
1014         Some design decisions:
1015         1. We opted to require that the 'with' clause appear on a separate line than the
1016            'override' clause because this makes it easier to read and write when the
1017            'override' clause's function body is single lined and long.
1018
1019         2. The user can use any sequence of characters for the delimiter (except for '{',
1020            '}' and white space characters) because this ensures that there can always be
1021            some delimiter pattern that does not appear in the function body in the clause
1022            e.g. in the body of strings in the JS code.
1023
1024            '{' and '}' are disallowed because they are used to mark the boundaries of the
1025            function body string.  White space characters are disallowed because they can
1026            be error prone (the user may not be able to tell between spaces and tabs).
1027
1028         3. The start and end delimiter must be an identical sequence of characters.
1029
1030            I had considered allowing the use of complementary characters like <>, [], and
1031            () for making delimiter pairs like:
1032                [[[[ ... ]]]]
1033                <[([( ... )])]>
1034
1035            But in the end, decided against it because:
1036            a. These sequences of complementary characters can exists in JS code.
1037               In contrast, a repeating delimiter like %%%% is unlikely to appear in JS
1038               code.
1039            b. It can be error prone for the user to have to type the exact complement
1040               character for the end delimiter in reverse order.
1041               In contrast, a repeating delimiter like %%%% is much easier to type and
1042               less error prone.  Even a sequence like @#$%^ is less error prone than
1043               a complementary sequence because it can be copy-pasted, and need not be
1044               typed in reverse order.
1045            c. It is easier to parse for the same delimiter string for both start and end.
1046
1047         4. The tool does a lot of checks for syntax errors in the overrides file because
1048            we don't want any overrides to fail silently.  If a syntax error is detected,
1049            the tool will print an error message and call exit().  This avoids the user
1050            wasting time doing debugging only to be surprised later that their specified
1051            overrides did not take effect because of some unnoticed typo.
1052
1053         * CMakeLists.txt:
1054         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1055         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1056         * JavaScriptCore.xcodeproj/project.pbxproj:
1057         * bytecode/UnlinkedCodeBlock.cpp:
1058         (JSC::UnlinkedFunctionExecutable::link):
1059         * runtime/Executable.h:
1060         * runtime/Options.h:
1061         * tools/FunctionOverrides.cpp: Added.
1062         (JSC::FunctionOverrides::overrides):
1063         (JSC::FunctionOverrides::FunctionOverrides):
1064         (JSC::initializeOverrideInfo):
1065         (JSC::FunctionOverrides::initializeOverrideFor):
1066         (JSC::hasDisallowedCharacters):
1067         (JSC::parseClause):
1068         (JSC::FunctionOverrides::parseOverridesInFile):
1069         * tools/FunctionOverrides.h: Added.
1070
1071 2015-04-16  Basile Clement  <basile_clement@apple.com>
1072  
1073         Extract the allocation profile from JSFunction into a rare object
1074         https://bugs.webkit.org/show_bug.cgi?id=143807
1075  
1076         Reviewed by Filip Pizlo.
1077  
1078         The allocation profile is only needed for those functions that are used
1079         to create objects with [new].
1080         Extracting it into its own JSCell removes the need for JSFunction and
1081         JSCallee to be JSDestructibleObjects, which should improve performances in most
1082         cases at the cost of an extra pointer dereference when the allocation profile
1083         is actually needed.
1084  
1085         * CMakeLists.txt:
1086         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1087         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1088         * JavaScriptCore.xcodeproj/project.pbxproj:
1089         * dfg/DFGOperations.cpp:
1090         * dfg/DFGSpeculativeJIT32_64.cpp:
1091         (JSC::DFG::SpeculativeJIT::compile):
1092         * dfg/DFGSpeculativeJIT64.cpp:
1093         (JSC::DFG::SpeculativeJIT::compile):
1094         * jit/JITOpcodes.cpp:
1095         (JSC::JIT::emit_op_create_this):
1096         * jit/JITOpcodes32_64.cpp:
1097         (JSC::JIT::emit_op_create_this):
1098         * llint/LowLevelInterpreter32_64.asm:
1099         * llint/LowLevelInterpreter64.asm:
1100         * runtime/CommonSlowPaths.cpp:
1101         (JSC::SLOW_PATH_DECL):
1102         * runtime/FunctionRareData.cpp: Added.
1103         (JSC::FunctionRareData::create):
1104         (JSC::FunctionRareData::destroy):
1105         (JSC::FunctionRareData::createStructure):
1106         (JSC::FunctionRareData::visitChildren):
1107         (JSC::FunctionRareData::FunctionRareData):
1108         (JSC::FunctionRareData::~FunctionRareData):
1109         (JSC::FunctionRareData::finishCreation):
1110         * runtime/FunctionRareData.h: Added.
1111         (JSC::FunctionRareData::offsetOfAllocationProfile):
1112         (JSC::FunctionRareData::allocationProfile):
1113         (JSC::FunctionRareData::allocationStructure):
1114         (JSC::FunctionRareData::allocationProfileWatchpointSet):
1115         * runtime/JSBoundFunction.cpp:
1116         (JSC::JSBoundFunction::destroy): Deleted.
1117         * runtime/JSBoundFunction.h:
1118         * runtime/JSCallee.cpp:
1119         (JSC::JSCallee::destroy): Deleted.
1120         * runtime/JSCallee.h:
1121         * runtime/JSFunction.cpp:
1122         (JSC::JSFunction::JSFunction):
1123         (JSC::JSFunction::createRareData):
1124         (JSC::JSFunction::visitChildren):
1125         (JSC::JSFunction::put):
1126         (JSC::JSFunction::defineOwnProperty):
1127         (JSC::JSFunction::destroy): Deleted.
1128         (JSC::JSFunction::createAllocationProfile): Deleted.
1129         * runtime/JSFunction.h:
1130         (JSC::JSFunction::offsetOfRareData):
1131         (JSC::JSFunction::rareData):
1132         (JSC::JSFunction::allocationStructure):
1133         (JSC::JSFunction::allocationProfileWatchpointSet):
1134         (JSC::JSFunction::offsetOfAllocationProfile): Deleted.
1135         (JSC::JSFunction::allocationProfile): Deleted.
1136         * runtime/JSFunctionInlines.h:
1137         (JSC::JSFunction::JSFunction):
1138         * runtime/VM.cpp:
1139         (JSC::VM::VM):
1140         * runtime/VM.h:
1141  
1142 2015-04-16  Csaba Osztrogonác  <ossy@webkit.org>
1143
1144         Remove the unnecessary WTF_CHANGES define
1145         https://bugs.webkit.org/show_bug.cgi?id=143825
1146
1147         Reviewed by Andreas Kling.
1148
1149         * config.h:
1150
1151 2015-04-15  Andreas Kling  <akling@apple.com>
1152
1153         Make MarkedBlock and WeakBlock 4x smaller.
1154         <https://webkit.org/b/143802>
1155
1156         Reviewed by Mark Hahnenberg.
1157
1158         To reduce GC heap fragmentation and generally use less memory, reduce the size of MarkedBlock
1159         and its buddy WeakBlock by 4x, bringing them from 64kB+4kB to 16kB+1kB.
1160
1161         In a sampling of cool web sites, I'm seeing ~8% average reduction in overall GC heap size.
1162         Some examples:
1163
1164                    apple.com:  6.3MB ->  5.5MB (14.5% smaller)
1165                   reddit.com:  4.5MB ->  4.1MB ( 9.7% smaller)
1166                  twitter.com: 23.2MB -> 21.4MB ( 8.4% smaller)
1167             cuteoverload.com: 24.5MB -> 23.6MB ( 3.8% smaller)
1168
1169         Benchmarks look mostly neutral.
1170         Some small slowdowns on Octane, some slightly bigger speedups on Kraken and SunSpider.
1171
1172         * heap/MarkedBlock.h:
1173         * heap/WeakBlock.h:
1174         * llint/LLIntData.cpp:
1175         (JSC::LLInt::Data::performAssertions):
1176         * llint/LowLevelInterpreter.asm:
1177
1178 2015-04-15  Jordan Harband  <ljharb@gmail.com>
1179
1180         String.prototype.startsWith/endsWith/includes have wrong length in r182673
1181         https://bugs.webkit.org/show_bug.cgi?id=143659
1182
1183         Reviewed by Benjamin Poulain.
1184
1185         Fix lengths of String.prototype.{includes,startsWith,endsWith} per spec
1186         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.includes
1187         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.startswith
1188         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.endswith
1189
1190         * runtime/StringPrototype.cpp:
1191         (JSC::StringPrototype::finishCreation):
1192
1193 2015-04-15  Mark Lam  <mark.lam@apple.com>
1194
1195         Remove obsolete VMInspector debugging tool.
1196         https://bugs.webkit.org/show_bug.cgi?id=143798
1197
1198         Reviewed by Michael Saboff.
1199
1200         I added the VMInspector tool 3 years ago to aid in VM hacking work.  Some of it
1201         has bit rotted, and now the VM also has better ways to achieve its functionality.
1202         Hence this code is now obsolete and should be removed.
1203
1204         * CMakeLists.txt:
1205         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1206         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1207         * JavaScriptCore.xcodeproj/project.pbxproj:
1208         * interpreter/CallFrame.h:
1209         * interpreter/VMInspector.cpp: Removed.
1210         * interpreter/VMInspector.h: Removed.
1211         * llint/LowLevelInterpreter.cpp:
1212
1213 2015-04-15  Jordan Harband  <ljharb@gmail.com>
1214
1215         Math.imul has wrong length in Safari 8.0.4
1216         https://bugs.webkit.org/show_bug.cgi?id=143658
1217
1218         Reviewed by Benjamin Poulain.
1219
1220         Correcting function length from 1, to 2, to match spec
1221         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-math.imul
1222
1223         * runtime/MathObject.cpp:
1224         (JSC::MathObject::finishCreation):
1225
1226 2015-04-15  Jordan Harband  <ljharb@gmail.com>
1227
1228         Number.parseInt in nightly r182673 has wrong length
1229         https://bugs.webkit.org/show_bug.cgi?id=143657
1230
1231         Reviewed by Benjamin Poulain.
1232
1233         Correcting function length from 1, to 2, to match spec
1234         https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint
1235
1236         * runtime/NumberConstructor.cpp:
1237         (JSC::NumberConstructor::finishCreation):
1238
1239 2015-04-15  Filip Pizlo  <fpizlo@apple.com>
1240
1241         Harden DFGForAllKills
1242         https://bugs.webkit.org/show_bug.cgi?id=143792
1243
1244         Reviewed by Geoffrey Garen.
1245         
1246         Unfortunately, we don't have a good way to test this yet - but it will be needed to prevent
1247         bugs in https://bugs.webkit.org/show_bug.cgi?id=143734.
1248         
1249         Previously ForAllKills used the bytecode kill analysis. That seemed like a good idea because
1250         that analysis is cheaper than the full liveness analysis. Unfortunately, it's probably wrong:
1251         
1252         - It looks for kill sites at forExit origin boundaries. But, something might have been killed
1253           by an operation that was logically in between the forExit origins at the boundary, but was
1254           removed from the DFG for whatever reason. The DFG is allowed to have bytecode instruction
1255           gaps.
1256         
1257         - It overlooked the fact that a MovHint that addresses a local that is always live kills that
1258           local. For example, storing to an argument means that the prior value of the argument is
1259           killed.
1260         
1261         This fixes the analysis by making it handle MovHints directly, and making it define kills in
1262         the most conservative way possible: it asks if you were live before but dead after. If we
1263         have the compile time budget to afford this more direct approach, then it's definitel a good
1264         idea since it's so fool-proof.
1265
1266         * dfg/DFGArgumentsEliminationPhase.cpp:
1267         * dfg/DFGForAllKills.h:
1268         (JSC::DFG::forAllKilledOperands):
1269         (JSC::DFG::forAllKilledNodesAtNodeIndex):
1270         (JSC::DFG::forAllDirectlyKilledOperands): Deleted.
1271
1272 2015-04-15  Joseph Pecoraro  <pecoraro@apple.com>
1273
1274         Provide SPI to allow changing whether JSContexts are remote debuggable by default
1275         https://bugs.webkit.org/show_bug.cgi?id=143681
1276
1277         Reviewed by Darin Adler.
1278
1279         * API/JSRemoteInspector.h:
1280         * API/JSRemoteInspector.cpp:
1281         (JSRemoteInspectorGetInspectionEnabledByDefault):
1282         (JSRemoteInspectorSetInspectionEnabledByDefault):
1283         Provide SPI to toggle the default enabled inspection state of debuggables.
1284
1285         * API/JSContextRef.cpp:
1286         (JSGlobalContextCreateInGroup):
1287         Respect the default setting.
1288
1289 2015-04-15  Joseph Pecoraro  <pecoraro@apple.com>
1290
1291         JavaScriptCore: Use kCFAllocatorDefault where possible
1292         https://bugs.webkit.org/show_bug.cgi?id=143747
1293
1294         Reviewed by Darin Adler.
1295
1296         * heap/HeapTimer.cpp:
1297         (JSC::HeapTimer::HeapTimer):
1298         * inspector/remote/RemoteInspectorDebuggableConnection.mm:
1299         (Inspector::RemoteInspectorInitializeGlobalQueue):
1300         (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
1301         For consistency and readability use the constant instead of
1302         different representations of null.
1303
1304 2015-04-14  Michael Saboff  <msaboff@apple.com>
1305
1306         Remove JavaScriptCoreUseJIT default from JavaScriptCore
1307         https://bugs.webkit.org/show_bug.cgi?id=143746
1308
1309         Reviewed by Mark Lam.
1310
1311         * runtime/VM.cpp:
1312         (JSC::enableAssembler):
1313
1314 2015-04-14  Chris Dumez  <cdumez@apple.com>
1315
1316         Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
1317         https://bugs.webkit.org/show_bug.cgi?id=143745
1318         <rdar://problem/20243916>
1319
1320         Reviewed by Joseph Pecoraro.
1321
1322         Add assertion in ContentSearchUtilities::findMagicComment() to make
1323         sure the content String is not null or we would crash in
1324         JSC::Yarr::interpret() later.
1325
1326         * inspector/ContentSearchUtilities.cpp:
1327         (Inspector::ContentSearchUtilities::findMagicComment):
1328
1329 2015-04-14  Michael Saboff  <msaboff@apple.com>
1330
1331         DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format
1332         https://bugs.webkit.org/show_bug.cgi?id=143727
1333
1334         Reviewed by Geoffrey Garen.
1335
1336         Used the result of AbstractInterpreter<>::filter() to check that the current spill format is compatible
1337         with the requested fill format.  If filter() reports a contradiction, then we force an OSR exit.
1338         Removed individual checks made redundant by the new check.
1339
1340         * dfg/DFGSpeculativeJIT32_64.cpp:
1341         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1342         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1343         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1344         * dfg/DFGSpeculativeJIT64.cpp:
1345         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
1346         (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
1347         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1348         (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1349
1350 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
1351
1352         Replace JavaScriptCoreOutputConsoleMessagesToSystemConsole default with an SPI
1353         https://bugs.webkit.org/show_bug.cgi?id=143691
1354
1355         Reviewed by Geoffrey Garen.
1356
1357         * API/JSRemoteInspector.h:
1358         * API/JSRemoteInspector.cpp:
1359         (JSRemoteInspectorSetLogToSystemConsole):
1360         Add SPI to enable/disable logging to the system console.
1361         This only affects JSContext `console` logs and warnings.
1362
1363         * inspector/JSGlobalObjectConsoleClient.h:
1364         * inspector/JSGlobalObjectConsoleClient.cpp:
1365         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
1366         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
1367         (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
1368         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole): Deleted.
1369         Simplify access to the setting now that it doesn't need to
1370         initialize its value from preferences.
1371
1372 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
1373
1374         Web Inspector: Auto-attach fails after r179562, initialization too late after dispatch
1375         https://bugs.webkit.org/show_bug.cgi?id=143682
1376
1377         Reviewed by Timothy Hatcher.
1378
1379         * inspector/remote/RemoteInspector.mm:
1380         (Inspector::RemoteInspector::singleton):
1381         If we are on the main thread, run the initialization immediately.
1382         Otherwise dispatch to the main thread. This way if the first JSContext
1383         was created on the main thread it can get auto-attached if applicable.
1384
1385 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
1386
1387         Unreviewed build fix for Mavericks.
1388
1389         Mavericks includes this file but does not enable ENABLE_REMOTE_INSPECTOR
1390         so the Inspector namespace is not available when compiling this file.
1391
1392         * API/JSRemoteInspector.cpp:
1393
1394 2015-04-14  Joseph Pecoraro  <pecoraro@apple.com>
1395
1396         Web Inspector: Expose private APIs to interact with RemoteInspector instead of going through WebKit
1397         https://bugs.webkit.org/show_bug.cgi?id=143729
1398
1399         Reviewed by Timothy Hatcher.
1400
1401         * API/JSRemoteInspector.h: Added.
1402         * API/JSRemoteInspector.cpp: Added.
1403         (JSRemoteInspectorDisableAutoStart):
1404         (JSRemoteInspectorStart):
1405         (JSRemoteInspectorSetParentProcessInformation):
1406         Add the new SPIs for basic remote inspection behavior.
1407
1408         * JavaScriptCore.xcodeproj/project.pbxproj:
1409         Add the new files to Mac only, since remote inspection is only
1410         enabled there anyways.
1411
1412 2015-04-14  Mark Lam  <mark.lam@apple.com>
1413
1414         Rename JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist.
1415         https://bugs.webkit.org/show_bug.cgi?id=143722
1416
1417         Reviewed by Michael Saboff.
1418
1419         Renaming JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist so that it is
1420         shorter, and easier to remember (without having to look it up) and to
1421         type.  JSC options now support descriptions, and one can always look up
1422         the description if the option's purpose is not already obvious.
1423
1424         * dfg/DFGFunctionWhitelist.cpp:
1425         (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
1426         (JSC::DFG::FunctionWhitelist::contains):
1427         * runtime/Options.h:
1428
1429 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
1430
1431         Unreviewed, fix Windows build. Windows doesn't take kindly to private classes that use FAST_ALLOCATED.
1432
1433         * runtime/InferredValue.h:
1434
1435 2015-04-13  Filip Pizlo  <fpizlo@apple.com>
1436
1437         Unreviewed, fix build. I introduced a new cell type at the same time as kling changed how new cell types are written.
1438
1439         * runtime/InferredValue.h:
1440
1441 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
1442
1443         JSC should detect singleton functions
1444         https://bugs.webkit.org/show_bug.cgi?id=143232
1445
1446         Reviewed by Geoffrey Garen.
1447         
1448         This started out as an attempt to make constructors faster by detecting when a constructor is a
1449         singleton. The idea is that each FunctionExecutable has a VariableWatchpointSet - a watchpoint
1450         along with an inferred value - that detects if only one JSFunction has been allocated for that
1451         executable, and if so, what that JSFunction is. Then, inside the code for the FunctionExecutable,
1452         if the watchpoint set has an inferred value (i.e. it's been initialized and it is still valid),
1453         we can constant-fold GetCallee.
1454         
1455         Unfortunately, constructors don't use GetCallee anymore, so that didn't pan out. But in the
1456         process I realized a bunch of things:
1457         
1458         - This allows us to completely eliminate the GetCallee/GetScope sequence that we still sometimes
1459           had even in code where our singleton-closure detection worked. That's because singleton-closure
1460           inference worked at the op_resolve_scope, and that op_resolve_scope still needed to keep alive
1461           the incoming scope in case we OSR exit. But by constant-folding GetCallee, that sequence
1462           disappears. OSR exit can rematerialize the callee or the scope by just knowing their constant
1463           values.
1464           
1465         - Singleton detection should be a reusable thing. So, I got rid of VariableWatchpointSet and
1466           created InferredValue. InferredValue is a cell, so it can handle its own GC magic.
1467           FunctionExecutable uses an InferredValue to tell you about singleton JSFunctions.
1468         
1469         - The old singleton-scope detection in op_resolve_scope is better abstracted as a SymbolTable
1470           detecting a singleton JSSymbolTableObject. So, SymbolTable uses an InferredValue to tell you
1471           about singleton JSSymbolTableObjects. It's curious that we want to have singleton detection in
1472           SymbolTable if we already have it in FunctionExecutable. This comes into play in two ways.
1473           First, it means that the DFG can realize sooner that a resolve_scope resolves to a constant
1474           scope. Ths saves compile times and it allows prediction propagation to benefit from the
1475           constant folding. Second, it means that we will detect a singleton scope even if it is
1476           referenced from a non-singleton scope that is nearer to us in the scope chain. This refactoring
1477           allows us to eliminate the function reentry watchpoint.
1478         
1479         - This allows us to use a normal WatchpointSet, instead of a VariableWatchpointSet, for inferring
1480           constant values in scopes. Previously when the DFG inferred that a closure variable was
1481           constant, it wouldn't know which closure that variable was in and so it couldn't just load that
1482           value. But now we are first inferring that the function is a singleton, which means that we
1483           know exactly what scope it points to, and we can load the value from the scope. Using a
1484           WatchpointSet instead of a VariableWatchpointSet saves some memory and simplifies a bunch of
1485           code. This also means that now, the only user of VariableWatchpointSet is FunctionExecutable.
1486           I've tweaked the code of VariableWatchpointSet to reduce its power to just be what
1487           FunctionExecutable wants.
1488         
1489         This also has the effect of simplifying the implementation of block scoping. Prior to this
1490         change, block scoping would have needed to have some story for the function reentry watchpoint on
1491         any nested symbol table. That's totally weird to think about; it's not really a function reentry
1492         but a scope reentry. Now we don't have to think about this. Constant inference on nested scopes
1493         will "just work": if we prove that we know the constant value of the scope then the machinery
1494         kicks in, otherwise it doesn't.
1495         
1496         This is a small Octane and AsmBench speed-up. AsmBench sees 1% while Octane sees sub-1%.
1497
1498         * CMakeLists.txt:
1499         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1500         * JavaScriptCore.xcodeproj/project.pbxproj:
1501         * bytecode/BytecodeList.json:
1502         * bytecode/BytecodeUseDef.h:
1503         (JSC::computeUsesForBytecodeOffset):
1504         (JSC::computeDefsForBytecodeOffset):
1505         * bytecode/CodeBlock.cpp:
1506         (JSC::CodeBlock::dumpBytecode):
1507         (JSC::CodeBlock::CodeBlock):
1508         (JSC::CodeBlock::finalizeUnconditionally):
1509         (JSC::CodeBlock::valueProfileForBytecodeOffset):
1510         * bytecode/CodeBlock.h:
1511         (JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted.
1512         * bytecode/CodeOrigin.cpp:
1513         (JSC::InlineCallFrame::calleeConstant):
1514         (JSC::InlineCallFrame::visitAggregate):
1515         * bytecode/CodeOrigin.h:
1516         (JSC::InlineCallFrame::calleeConstant): Deleted.
1517         (JSC::InlineCallFrame::visitAggregate): Deleted.
1518         * bytecode/Instruction.h:
1519         * bytecode/VariableWatchpointSet.cpp: Removed.
1520         * bytecode/VariableWatchpointSet.h: Removed.
1521         * bytecode/VariableWatchpointSetInlines.h: Removed.
1522         * bytecode/VariableWriteFireDetail.cpp: Added.
1523         (JSC::VariableWriteFireDetail::dump):
1524         (JSC::VariableWriteFireDetail::touch):
1525         * bytecode/VariableWriteFireDetail.h: Added.
1526         (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
1527         * bytecode/Watchpoint.h:
1528         (JSC::WatchpointSet::stateOnJSThread):
1529         (JSC::WatchpointSet::startWatching):
1530         (JSC::WatchpointSet::fireAll):
1531         (JSC::WatchpointSet::touch):
1532         (JSC::WatchpointSet::invalidate):
1533         (JSC::InlineWatchpointSet::stateOnJSThread):
1534         (JSC::InlineWatchpointSet::state):
1535         (JSC::InlineWatchpointSet::hasBeenInvalidated):
1536         (JSC::InlineWatchpointSet::invalidate):
1537         (JSC::InlineWatchpointSet::touch):
1538         * bytecompiler/BytecodeGenerator.cpp:
1539         (JSC::BytecodeGenerator::BytecodeGenerator):
1540         * dfg/DFGAbstractInterpreterInlines.h:
1541         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1542         * dfg/DFGByteCodeParser.cpp:
1543         (JSC::DFG::ByteCodeParser::get):
1544         (JSC::DFG::ByteCodeParser::parseBlock):
1545         (JSC::DFG::ByteCodeParser::getScope): Deleted.
1546         * dfg/DFGCapabilities.cpp:
1547         (JSC::DFG::capabilityLevel):
1548         * dfg/DFGClobberize.h:
1549         (JSC::DFG::clobberize):
1550         * dfg/DFGDesiredWatchpoints.cpp:
1551         (JSC::DFG::InferredValueAdaptor::add):
1552         (JSC::DFG::DesiredWatchpoints::addLazily):
1553         (JSC::DFG::DesiredWatchpoints::reallyAdd):
1554         (JSC::DFG::DesiredWatchpoints::areStillValid):
1555         * dfg/DFGDesiredWatchpoints.h:
1556         (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated):
1557         (JSC::DFG::DesiredWatchpoints::isWatched):
1558         * dfg/DFGGraph.cpp:
1559         (JSC::DFG::Graph::dump):
1560         (JSC::DFG::Graph::tryGetConstantClosureVar):
1561         * dfg/DFGNode.h:
1562         (JSC::DFG::Node::hasWatchpointSet):
1563         (JSC::DFG::Node::watchpointSet):
1564         (JSC::DFG::Node::hasVariableWatchpointSet): Deleted.
1565         (JSC::DFG::Node::variableWatchpointSet): Deleted.
1566         * dfg/DFGOperations.cpp:
1567         * dfg/DFGOperations.h:
1568         * dfg/DFGSpeculativeJIT.cpp:
1569         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1570         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1571         (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
1572         * dfg/DFGSpeculativeJIT.h:
1573         (JSC::DFG::SpeculativeJIT::callOperation):
1574         * dfg/DFGSpeculativeJIT32_64.cpp:
1575         (JSC::DFG::SpeculativeJIT::compile):
1576         * dfg/DFGSpeculativeJIT64.cpp:
1577         (JSC::DFG::SpeculativeJIT::compile):
1578         * dfg/DFGVarargsForwardingPhase.cpp:
1579         * ftl/FTLIntrinsicRepository.h:
1580         * ftl/FTLLowerDFGToLLVM.cpp:
1581         (JSC::FTL::LowerDFGToLLVM::compileCreateActivation):
1582         (JSC::FTL::LowerDFGToLLVM::compileNewFunction):
1583         (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
1584         * interpreter/Interpreter.cpp:
1585         (JSC::StackFrame::friendlySourceURL):
1586         (JSC::StackFrame::friendlyFunctionName):
1587         * interpreter/Interpreter.h:
1588         (JSC::StackFrame::friendlySourceURL): Deleted.
1589         (JSC::StackFrame::friendlyFunctionName): Deleted.
1590         * jit/JIT.cpp:
1591         (JSC::JIT::emitNotifyWrite):
1592         (JSC::JIT::privateCompileMainPass):
1593         * jit/JIT.h:
1594         * jit/JITOpcodes.cpp:
1595         (JSC::JIT::emit_op_touch_entry): Deleted.
1596         * jit/JITOperations.cpp:
1597         * jit/JITOperations.h:
1598         * jit/JITPropertyAccess.cpp:
1599         (JSC::JIT::emitPutGlobalVar):
1600         (JSC::JIT::emitPutClosureVar):
1601         (JSC::JIT::emitNotifyWrite): Deleted.
1602         * jit/JITPropertyAccess32_64.cpp:
1603         (JSC::JIT::emitPutGlobalVar):
1604         (JSC::JIT::emitPutClosureVar):
1605         (JSC::JIT::emitNotifyWrite): Deleted.
1606         * llint/LLIntSlowPaths.cpp:
1607         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1608         * llint/LowLevelInterpreter.asm:
1609         * llint/LowLevelInterpreter32_64.asm:
1610         * llint/LowLevelInterpreter64.asm:
1611         * runtime/CommonSlowPaths.cpp:
1612         (JSC::SLOW_PATH_DECL): Deleted.
1613         * runtime/CommonSlowPaths.h:
1614         * runtime/Executable.cpp:
1615         (JSC::FunctionExecutable::finishCreation):
1616         (JSC::FunctionExecutable::visitChildren):
1617         * runtime/Executable.h:
1618         (JSC::FunctionExecutable::singletonFunction):
1619         * runtime/InferredValue.cpp: Added.
1620         (JSC::InferredValue::create):
1621         (JSC::InferredValue::destroy):
1622         (JSC::InferredValue::createStructure):
1623         (JSC::InferredValue::visitChildren):
1624         (JSC::InferredValue::InferredValue):
1625         (JSC::InferredValue::~InferredValue):
1626         (JSC::InferredValue::notifyWriteSlow):
1627         (JSC::InferredValue::ValueCleanup::ValueCleanup):
1628         (JSC::InferredValue::ValueCleanup::~ValueCleanup):
1629         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally):
1630         * runtime/InferredValue.h: Added.
1631         (JSC::InferredValue::inferredValue):
1632         (JSC::InferredValue::state):
1633         (JSC::InferredValue::isStillValid):
1634         (JSC::InferredValue::hasBeenInvalidated):
1635         (JSC::InferredValue::add):
1636         (JSC::InferredValue::notifyWrite):
1637         (JSC::InferredValue::invalidate):
1638         * runtime/JSEnvironmentRecord.cpp:
1639         (JSC::JSEnvironmentRecord::visitChildren):
1640         * runtime/JSEnvironmentRecord.h:
1641         (JSC::JSEnvironmentRecord::isValid):
1642         (JSC::JSEnvironmentRecord::finishCreation):
1643         * runtime/JSFunction.cpp:
1644         (JSC::JSFunction::create):
1645         * runtime/JSFunction.h:
1646         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1647         (JSC::JSFunction::createImpl):
1648         (JSC::JSFunction::create): Deleted.
1649         * runtime/JSGlobalObject.cpp:
1650         (JSC::JSGlobalObject::addGlobalVar):
1651         (JSC::JSGlobalObject::addFunction):
1652         * runtime/JSGlobalObject.h:
1653         * runtime/JSLexicalEnvironment.cpp:
1654         (JSC::JSLexicalEnvironment::symbolTablePut):
1655         * runtime/JSScope.h:
1656         (JSC::ResolveOp::ResolveOp):
1657         * runtime/JSSegmentedVariableObject.h:
1658         (JSC::JSSegmentedVariableObject::finishCreation):
1659         * runtime/JSSymbolTableObject.h:
1660         (JSC::JSSymbolTableObject::JSSymbolTableObject):
1661         (JSC::JSSymbolTableObject::setSymbolTable):
1662         (JSC::symbolTablePut):
1663         (JSC::symbolTablePutWithAttributes):
1664         * runtime/PutPropertySlot.h:
1665         * runtime/SymbolTable.cpp:
1666         (JSC::SymbolTableEntry::prepareToWatch):
1667         (JSC::SymbolTable::SymbolTable):
1668         (JSC::SymbolTable::finishCreation):
1669         (JSC::SymbolTable::visitChildren):
1670         (JSC::SymbolTableEntry::inferredValue): Deleted.
1671         (JSC::SymbolTableEntry::notifyWriteSlow): Deleted.
1672         (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup): Deleted.
1673         (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup): Deleted.
1674         (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally): Deleted.
1675         * runtime/SymbolTable.h:
1676         (JSC::SymbolTableEntry::disableWatching):
1677         (JSC::SymbolTableEntry::watchpointSet):
1678         (JSC::SymbolTable::singletonScope):
1679         (JSC::SymbolTableEntry::notifyWrite): Deleted.
1680         * runtime/TypeProfiler.cpp:
1681         * runtime/VM.cpp:
1682         (JSC::VM::VM):
1683         * runtime/VM.h:
1684         * tests/stress/infer-uninitialized-closure-var.js: Added.
1685         (foo.f):
1686         (foo):
1687         * tests/stress/singleton-scope-then-overwrite.js: Added.
1688         (foo.f):
1689         (foo):
1690         * tests/stress/singleton-scope-then-realloc-and-overwrite.js: Added.
1691         (foo):
1692         * tests/stress/singleton-scope-then-realloc.js: Added.
1693         (foo):
1694
1695 2015-04-13  Andreas Kling  <akling@apple.com>
1696
1697         Don't segregate heap objects based on Structure immortality.
1698         <https://webkit.org/b/143638>
1699
1700         Reviewed by Darin Adler.
1701
1702         Put all objects that need a destructor call into the same MarkedBlock.
1703         This reduces memory consumption in many situations, while improving locality,
1704         since much more of the MarkedBlock space can be shared.
1705
1706         Instead of branching on the MarkedBlock type, we now check a bit in the
1707         JSCell's inline type flags (StructureIsImmortal) to see whether it's safe
1708         to access the cell's Structure during destruction or not.
1709
1710         Performance benchmarks look mostly neutral. Maybe a small regression on
1711         SunSpider's date objects.
1712
1713         On the amazon.com landing page, this saves us 50 MarkedBlocks (3200kB) along
1714         with a bunch of WeakBlocks that were hanging off of them. That's on the higher
1715         end of savings we can get from this, but still a very real improvement.
1716
1717         Most of this patch is removing the "hasImmortalStructure" constant from JSCell
1718         derived classes and passing that responsibility to the StructureIsImmortal flag.
1719         StructureFlags is made public so that it's accessible from non-member functions.
1720         I made sure to declare it everywhere and make classes final to try to make it
1721         explicit what each class is doing to its inherited flags.
1722
1723         * API/JSCallbackConstructor.h:
1724         * API/JSCallbackObject.h:
1725         * bytecode/UnlinkedCodeBlock.h:
1726         * debugger/DebuggerScope.h:
1727         * dfg/DFGSpeculativeJIT.cpp:
1728         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1729         * ftl/FTLLowerDFGToLLVM.cpp:
1730         (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
1731         * heap/Heap.h:
1732         (JSC::Heap::subspaceForObjectDestructor):
1733         (JSC::Heap::allocatorForObjectWithDestructor):
1734         (JSC::Heap::subspaceForObjectNormalDestructor): Deleted.
1735         (JSC::Heap::subspaceForObjectsWithImmortalStructure): Deleted.
1736         (JSC::Heap::allocatorForObjectWithNormalDestructor): Deleted.
1737         (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): Deleted.
1738         * heap/HeapInlines.h:
1739         (JSC::Heap::allocateWithDestructor):
1740         (JSC::Heap::allocateObjectOfType):
1741         (JSC::Heap::subspaceForObjectOfType):
1742         (JSC::Heap::allocatorForObjectOfType):
1743         (JSC::Heap::allocateWithNormalDestructor): Deleted.
1744         (JSC::Heap::allocateWithImmortalStructureDestructor): Deleted.
1745         * heap/MarkedAllocator.cpp:
1746         (JSC::MarkedAllocator::allocateBlock):
1747         * heap/MarkedAllocator.h:
1748         (JSC::MarkedAllocator::needsDestruction):
1749         (JSC::MarkedAllocator::MarkedAllocator):
1750         (JSC::MarkedAllocator::init):
1751         (JSC::MarkedAllocator::destructorType): Deleted.
1752         * heap/MarkedBlock.cpp:
1753         (JSC::MarkedBlock::create):
1754         (JSC::MarkedBlock::MarkedBlock):
1755         (JSC::MarkedBlock::callDestructor):
1756         (JSC::MarkedBlock::specializedSweep):
1757         (JSC::MarkedBlock::sweep):
1758         (JSC::MarkedBlock::sweepHelper):
1759         * heap/MarkedBlock.h:
1760         (JSC::MarkedBlock::needsDestruction):
1761         (JSC::MarkedBlock::destructorType): Deleted.
1762         * heap/MarkedSpace.cpp:
1763         (JSC::MarkedSpace::MarkedSpace):
1764         (JSC::MarkedSpace::resetAllocators):
1765         (JSC::MarkedSpace::forEachAllocator):
1766         (JSC::MarkedSpace::isPagedOut):
1767         (JSC::MarkedSpace::clearNewlyAllocated):
1768         * heap/MarkedSpace.h:
1769         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
1770         (JSC::MarkedSpace::destructorAllocatorFor):
1771         (JSC::MarkedSpace::allocateWithDestructor):
1772         (JSC::MarkedSpace::forEachBlock):
1773         (JSC::MarkedSpace::subspaceForObjectsWithNormalDestructor): Deleted.
1774         (JSC::MarkedSpace::subspaceForObjectsWithImmortalStructure): Deleted.
1775         (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor): Deleted.
1776         (JSC::MarkedSpace::normalDestructorAllocatorFor): Deleted.
1777         (JSC::MarkedSpace::allocateWithImmortalStructureDestructor): Deleted.
1778         (JSC::MarkedSpace::allocateWithNormalDestructor): Deleted.
1779         * inspector/JSInjectedScriptHost.h:
1780         * inspector/JSInjectedScriptHostPrototype.h:
1781         * inspector/JSJavaScriptCallFrame.h:
1782         * inspector/JSJavaScriptCallFramePrototype.h:
1783         * jsc.cpp:
1784         * runtime/ArrayBufferNeuteringWatchpoint.h:
1785         * runtime/ArrayConstructor.h:
1786         * runtime/ArrayIteratorPrototype.h:
1787         * runtime/BooleanPrototype.h:
1788         * runtime/ClonedArguments.h:
1789         * runtime/CustomGetterSetter.h:
1790         * runtime/DateConstructor.h:
1791         * runtime/DatePrototype.h:
1792         * runtime/ErrorPrototype.h:
1793         * runtime/ExceptionHelpers.h:
1794         * runtime/Executable.h:
1795         * runtime/GenericArguments.h:
1796         * runtime/GetterSetter.h:
1797         * runtime/InternalFunction.h:
1798         * runtime/JSAPIValueWrapper.h:
1799         * runtime/JSArgumentsIterator.h:
1800         * runtime/JSArray.h:
1801         * runtime/JSArrayBuffer.h:
1802         * runtime/JSArrayBufferView.h:
1803         * runtime/JSBoundFunction.h:
1804         * runtime/JSCallee.h:
1805         * runtime/JSCell.h:
1806         * runtime/JSCellInlines.h:
1807         (JSC::JSCell::classInfo):
1808         * runtime/JSDataViewPrototype.h:
1809         * runtime/JSEnvironmentRecord.h:
1810         * runtime/JSFunction.h:
1811         * runtime/JSGenericTypedArrayView.h:
1812         * runtime/JSGlobalObject.h:
1813         * runtime/JSLexicalEnvironment.h:
1814         * runtime/JSNameScope.h:
1815         * runtime/JSNotAnObject.h:
1816         * runtime/JSONObject.h:
1817         * runtime/JSObject.h:
1818         (JSC::JSFinalObject::JSFinalObject):
1819         * runtime/JSPromiseConstructor.h:
1820         * runtime/JSPromiseDeferred.h:
1821         * runtime/JSPromisePrototype.h:
1822         * runtime/JSPromiseReaction.h:
1823         * runtime/JSPropertyNameEnumerator.h:
1824         * runtime/JSProxy.h:
1825         * runtime/JSScope.h:
1826         * runtime/JSString.h:
1827         * runtime/JSSymbolTableObject.h:
1828         * runtime/JSTypeInfo.h:
1829         (JSC::TypeInfo::structureIsImmortal):
1830         * runtime/MathObject.h:
1831         * runtime/NumberConstructor.h:
1832         * runtime/NumberPrototype.h:
1833         * runtime/ObjectConstructor.h:
1834         * runtime/PropertyMapHashTable.h:
1835         * runtime/RegExp.h:
1836         * runtime/RegExpConstructor.h:
1837         * runtime/RegExpObject.h:
1838         * runtime/RegExpPrototype.h:
1839         * runtime/ScopedArgumentsTable.h:
1840         * runtime/SparseArrayValueMap.h:
1841         * runtime/StrictEvalActivation.h:
1842         * runtime/StringConstructor.h:
1843         * runtime/StringIteratorPrototype.h:
1844         * runtime/StringObject.h:
1845         * runtime/StringPrototype.h:
1846         * runtime/Structure.cpp:
1847         (JSC::Structure::Structure):
1848         * runtime/Structure.h:
1849         * runtime/StructureChain.h:
1850         * runtime/StructureRareData.h:
1851         * runtime/Symbol.h:
1852         * runtime/SymbolPrototype.h:
1853         * runtime/SymbolTable.h:
1854         * runtime/WeakMapData.h:
1855
1856 2015-04-13  Mark Lam  <mark.lam@apple.com>
1857
1858         DFG inlining of op_call_varargs should keep the callee alive in case of OSR exit.
1859         https://bugs.webkit.org/show_bug.cgi?id=143407
1860
1861         Reviewed by Filip Pizlo.
1862
1863         DFG inlining of a varargs call / construct needs to keep the local
1864         containing the callee alive with a Phantom node because the LoadVarargs
1865         node may OSR exit.  After the OSR exit, the baseline JIT executes the
1866         op_call_varargs with that callee in the local.
1867
1868         Previously, because that callee local was not explicitly kept alive,
1869         the op_call_varargs case can OSR exit a DFG function and leave an
1870         undefined value in that local.  As a result, the baseline observes the
1871         side effect of an op_call_varargs on an undefined value instead of the
1872         function it expected.
1873
1874         Note: this issue does not manifest with op_construct_varargs because
1875         the inlined constructor will have an op_create_this which operates on
1876         the incoming callee value, thereby keeping it alive.
1877
1878         * dfg/DFGByteCodeParser.cpp:
1879         (JSC::DFG::ByteCodeParser::handleInlining):
1880         * tests/stress/call-varargs-with-different-arguments-length-after-warmup.js: Added.
1881         (foo):
1882         (Foo):
1883         (doTest):
1884
1885 2015-04-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1886
1887         [ES6] Implement Array.prototype.values
1888         https://bugs.webkit.org/show_bug.cgi?id=143633
1889
1890         Reviewed by Darin Adler.
1891
1892         Symbol.unscopables is implemented, so we can implement Array.prototype.values
1893         without largely breaking the web. The following script passes.
1894
1895         var array = [];
1896         var values = 42;
1897         with (array) {
1898             assert(values, 42);
1899         }
1900
1901         * runtime/ArrayPrototype.cpp:
1902         * tests/stress/array-iterators-next.js:
1903         * tests/stress/map-iterators-next.js:
1904         * tests/stress/set-iterators-next.js:
1905         * tests/stress/values-unscopables.js: Added.
1906         (test):
1907
1908 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1909
1910         Run flaky conservative GC related test first before polluting stack and registers
1911         https://bugs.webkit.org/show_bug.cgi?id=143634
1912
1913         Reviewed by Ryosuke Niwa.
1914
1915         After r182653, JSC API tests fail. However, it's not related to the change.
1916         After investigating the cause of this failure, I've found that the failed test is flaky
1917         because JSC's GC is conservative. If previously allocated JSGlobalObject is accidentally alive
1918         due to conservative roots in C stack and registers, this test fails.
1919
1920         Since GC marks C stack and registers as roots conservatively,
1921         objects not referenced logically can be accidentally marked and alive.
1922         To avoid this situation as possible as we can,
1923         1. run this test first before stack is polluted,
1924         2. extract this test as a function to suppress stack height.
1925
1926         * API/tests/testapi.mm:
1927         (testWeakValue):
1928         (testObjectiveCAPIMain):
1929         (testObjectiveCAPI):
1930
1931 2015-04-11  Matt Baker  <mattbaker@apple.com>
1932
1933         Web Inspector: create content view and details sidebar for Frames timeline
1934         https://bugs.webkit.org/show_bug.cgi?id=143533
1935
1936         Reviewed by Timothy Hatcher.
1937
1938         Refactoring: RunLoop prefix changed to RenderingFrame.
1939
1940         * inspector/protocol/Timeline.json:
1941
1942 2015-04-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1943
1944         [ES6] Enable Symbol in web pages
1945         https://bugs.webkit.org/show_bug.cgi?id=143375
1946
1947         Reviewed by Ryosuke Niwa.
1948
1949         Expose Symbol to web pages.
1950         Symbol was exposed, but it was hidden since it breaks Facebook comments.
1951         This is because at that time Symbol is implemented,
1952         but methods for Symbol.iterator and Object.getOwnPropertySymbols are not implemented yet
1953         and it breaks React.js and immutable.js.
1954
1955         Now methods for Symbol.iterator and Object.getOwnPropertySymbols are implemented
1956         and make sure that Facebook comment input functionality is not broken with exposed Symbol.
1957
1958         So this patch replaces runtime flags SymbolEnabled to SymbolDisabled
1959         and makes enabling symbols by default.
1960
1961         * runtime/ArrayPrototype.cpp:
1962         (JSC::ArrayPrototype::finishCreation):
1963         * runtime/CommonIdentifiers.h:
1964         * runtime/JSGlobalObject.cpp:
1965         (JSC::JSGlobalObject::init):
1966         * runtime/ObjectConstructor.cpp:
1967         (JSC::ObjectConstructor::finishCreation):
1968         * runtime/RuntimeFlags.h:
1969
1970 2015-04-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1971
1972         ES6: Iterator toString names should be consistent
1973         https://bugs.webkit.org/show_bug.cgi?id=142424
1974
1975         Reviewed by Geoffrey Garen.
1976
1977         Iterator Object Names in the spec right now have spaces.
1978         In our implementation some do and some don't.
1979         This patch aligns JSC to the spec.
1980
1981         * runtime/JSArrayIterator.cpp:
1982         * runtime/JSStringIterator.cpp:
1983         * tests/stress/iterator-names.js: Added.
1984         (test):
1985         (iter):
1986         (check):
1987
1988 2015-04-10  Michael Saboff  <msaboff@apple.com>
1989
1990         REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests
1991         https://bugs.webkit.org/show_bug.cgi?id=143582
1992
1993         Reviewed by Mark Lam.
1994
1995         For 32 bit builds, we favor spilling unboxed values.  The ASSERT at the root of this bug doesn't
1996         fire for 64 bit builds, because we spill an "Other" value as a full JS value (DataFormatJS).
1997         For 32 bit builds however, if we are able, we spill Other values as JSCell* (DataFormatCell).
1998         The fix is to add a check in fillSpeculateInt32Internal() before the ASSERT that always OSR exits
1999         if the spillFormat is DataFormatCell.  Had we spilled in DataFormatJS and the value was a JSCell*,
2000         we would still OSR exit after the speculation check.
2001
2002         * dfg/DFGFixupPhase.cpp:
2003         (JSC::DFG::FixupPhase::fixupNode): Fixed an error in a comment while debugging.
2004         * dfg/DFGSpeculativeJIT32_64.cpp:
2005         (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
2006
2007 2015-04-10  Milan Crha  <mcrha@redhat.com>
2008
2009         Disable Linux-specific code in a Windows build
2010         https://bugs.webkit.org/show_bug.cgi?id=137973
2011
2012         Reviewed by Joseph Pecoraro.
2013
2014         * inspector/JSGlobalObjectInspectorController.cpp:
2015         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2016
2017 2015-04-10  Csaba Osztrogonác  <ossy@webkit.org>
2018
2019         [ARM] Fix calleeSaveRegisters() on non iOS platforms after r180516
2020         https://bugs.webkit.org/show_bug.cgi?id=143368
2021
2022         Reviewed by Michael Saboff.
2023
2024         * jit/RegisterSet.cpp:
2025         (JSC::RegisterSet::calleeSaveRegisters):
2026
2027 2015-04-08  Joseph Pecoraro  <pecoraro@apple.com>
2028
2029         Use jsNontrivialString in more places if the string is guaranteed to be 2 or more characters
2030         https://bugs.webkit.org/show_bug.cgi?id=143430
2031
2032         Reviewed by Darin Adler.
2033
2034         * runtime/ExceptionHelpers.cpp:
2035         (JSC::errorDescriptionForValue):
2036         * runtime/NumberPrototype.cpp:
2037         (JSC::numberProtoFuncToExponential):
2038         (JSC::numberProtoFuncToPrecision):
2039         (JSC::numberProtoFuncToString):
2040         * runtime/SymbolPrototype.cpp:
2041         (JSC::symbolProtoFuncToString):
2042
2043 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
2044
2045         JSArray::sortNumeric should handle ArrayWithUndecided
2046         https://bugs.webkit.org/show_bug.cgi?id=143535
2047
2048         Reviewed by Geoffrey Garen.
2049         
2050         ArrayWithUndecided is what you get if you haven't stored anything into the array yet. We need to handle it.
2051
2052         * runtime/JSArray.cpp:
2053         (JSC::JSArray::sortNumeric):
2054         * tests/stress/sort-array-with-undecided.js: Added.
2055
2056 2015-04-08  Filip Pizlo  <fpizlo@apple.com>
2057
2058         DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around
2059         https://bugs.webkit.org/show_bug.cgi?id=143532
2060
2061         Reviewed by Gavin Barraclough.
2062         
2063         Oh the irony!  We were protecting an optimization that only worked if there was no wrap-around in JavaScript.
2064         But the C++ code had wrap-around, which is undef in C++.  So, if the compiler was smart enough, our compiler
2065         would think that there never was wrap-around.
2066         
2067         This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang.
2068
2069         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2070         (JSC::DFG::IntegerCheckCombiningPhase::isValid):
2071
2072 2015-04-07  Michael Saboff  <msaboff@apple.com>
2073
2074         Lazily initialize LogToSystemConsole flag to reduce memory usage
2075         https://bugs.webkit.org/show_bug.cgi?id=143506
2076
2077         Reviewed by Mark Lam.
2078
2079         Only call into CF preferences code when we need to in order to reduce memory usage.
2080
2081         * inspector/JSGlobalObjectConsoleClient.cpp:
2082         (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole):
2083         (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole):
2084         (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole):
2085         (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient):
2086
2087 2015-04-07  Benjamin Poulain  <benjamin@webkit.org>
2088
2089         Get the features.json files ready for open contributions
2090         https://bugs.webkit.org/show_bug.cgi?id=143436
2091
2092         Reviewed by Darin Adler.
2093
2094         * features.json:
2095
2096 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
2097
2098         Constant folding of typed array properties should be handled by AI rather than strength reduction
2099         https://bugs.webkit.org/show_bug.cgi?id=143496
2100
2101         Reviewed by Geoffrey Garen.
2102         
2103         Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA
2104         phase and whatever other phase did the folding in order to find all constants.
2105         
2106         This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint
2107         directly.
2108         
2109         This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not
2110         found because all of the tests for it involved the property getting constant folded. I found that
2111         the codegen was bad because an earlier version of the patch broke that constant folding. This
2112         adds a new test for that node type, which makes constant folding impossible by allocating a new
2113         typed array every type. The lesson here is: if you write a test for something, run the test with
2114         full IR dumps to make sure it's actually testing the thing you want it to test.
2115
2116         * dfg/DFGAbstractInterpreterInlines.h:
2117         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2118         * dfg/DFGClobberize.h:
2119         (JSC::DFG::clobberize):
2120         * dfg/DFGConstantFoldingPhase.cpp:
2121         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2122         * dfg/DFGDoesGC.cpp:
2123         (JSC::DFG::doesGC):
2124         * dfg/DFGFixupPhase.cpp:
2125         (JSC::DFG::FixupPhase::fixupNode):
2126         * dfg/DFGGraph.cpp:
2127         (JSC::DFG::Graph::dump):
2128         (JSC::DFG::Graph::tryGetFoldableView):
2129         (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted.
2130         * dfg/DFGGraph.h:
2131         * dfg/DFGNode.h:
2132         (JSC::DFG::Node::hasTypedArray): Deleted.
2133         (JSC::DFG::Node::typedArray): Deleted.
2134         * dfg/DFGNodeType.h:
2135         * dfg/DFGPredictionPropagationPhase.cpp:
2136         (JSC::DFG::PredictionPropagationPhase::propagate):
2137         * dfg/DFGSafeToExecute.h:
2138         (JSC::DFG::safeToExecute):
2139         * dfg/DFGSpeculativeJIT.cpp:
2140         (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
2141         * dfg/DFGSpeculativeJIT32_64.cpp:
2142         (JSC::DFG::SpeculativeJIT::compile):
2143         * dfg/DFGSpeculativeJIT64.cpp:
2144         (JSC::DFG::SpeculativeJIT::compile):
2145         * dfg/DFGStrengthReductionPhase.cpp:
2146         (JSC::DFG::StrengthReductionPhase::handleNode):
2147         (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted.
2148         (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted.
2149         * dfg/DFGWatchpointCollectionPhase.cpp:
2150         (JSC::DFG::WatchpointCollectionPhase::handle):
2151         (JSC::DFG::WatchpointCollectionPhase::addLazily):
2152         * ftl/FTLCapabilities.cpp:
2153         (JSC::FTL::canCompile):
2154         * ftl/FTLLowerDFGToLLVM.cpp:
2155         (JSC::FTL::LowerDFGToLLVM::compileNode):
2156         (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
2157         (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
2158         * tests/stress/fold-typed-array-properties.js:
2159         (foo):
2160         * tests/stress/typed-array-byte-offset.js: Added.
2161         (foo):
2162
2163 2015-04-07  Matthew Mirman  <mmirman@apple.com>
2164
2165         Source and stack information should get appended only to native errors
2166         and should be added directly after construction rather than when thrown. 
2167         This fixes frozen objects being unfrozen when thrown while conforming to 
2168         ecma script standard and other browser behavior.
2169         rdar://problem/19927293
2170         https://bugs.webkit.org/show_bug.cgi?id=141871
2171         
2172         Reviewed by Geoffrey Garen.
2173
2174         Appending stack, source, line, and column information to an object whenever that object is thrown 
2175         is incorrect because it violates the ecma script standard for the behavior of throw.  Suppose for example
2176         that the object being thrown already has one of these properties or is frozen.  Adding the properties 
2177         would then violate the frozen contract or overwrite those properties.  Other browsers do not do this,
2178         and doing this causes unnecessary performance hits in code with heavy use of the throw construct as
2179         a control flow construct rather than just an error reporting mechanism.  
2180         
2181         Because WebCore adds "native" errors which do not inherit from any JSC native error, 
2182         appending the error properties as a seperate call after construction of the error is required 
2183         to avoid having to manually truncate the stack and gather local source information due to 
2184         the stack being extended by a nested call to construct one of the native jsc error.
2185         
2186         * interpreter/Interpreter.cpp:
2187         (JSC::Interpreter::execute):
2188         * interpreter/Interpreter.h:
2189         * parser/ParserError.h:
2190         (JSC::ParserError::toErrorObject):
2191         * runtime/CommonIdentifiers.h:
2192         * runtime/Error.cpp:
2193         (JSC::createError):
2194         (JSC::createEvalError):
2195         (JSC::createRangeError):
2196         (JSC::createReferenceError):
2197         (JSC::createSyntaxError):
2198         (JSC::createTypeError):
2199         (JSC::createNotEnoughArgumentsError):
2200         (JSC::createURIError):
2201         (JSC::createOutOfMemoryError):
2202         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
2203         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
2204         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
2205         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
2206         (JSC::addErrorInfoAndGetBytecodeOffset):  Added.
2207         (JSC::addErrorInfo): Added special case for appending complete error info 
2208         to a newly constructed error object.
2209         * runtime/Error.h:
2210         * runtime/ErrorConstructor.cpp:
2211         (JSC::Interpreter::constructWithErrorConstructor):
2212         (JSC::Interpreter::callErrorConstructor):
2213         * runtime/ErrorInstance.cpp:
2214         (JSC::appendSourceToError): Moved from VM.cpp
2215         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
2216         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
2217         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
2218         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
2219         (JSC::addErrorInfoAndGetBytecodeOffset):
2220         (JSC::ErrorInstance::finishCreation):
2221         * runtime/ErrorInstance.h:
2222         (JSC::ErrorInstance::create):
2223         * runtime/ErrorPrototype.cpp:
2224         (JSC::ErrorPrototype::finishCreation):
2225         * runtime/ExceptionFuzz.cpp:
2226         (JSC::doExceptionFuzzing):
2227         * runtime/ExceptionHelpers.cpp:
2228         (JSC::createError):
2229         (JSC::createInvalidFunctionApplyParameterError):
2230         (JSC::createInvalidInParameterError):
2231         (JSC::createInvalidInstanceofParameterError):
2232         (JSC::createNotAConstructorError):
2233         (JSC::createNotAFunctionError):
2234         (JSC::createNotAnObjectError):
2235         (JSC::throwOutOfMemoryError):
2236         (JSC::createStackOverflowError): Deleted.
2237         (JSC::createOutOfMemoryError): Deleted.
2238         * runtime/ExceptionHelpers.h:
2239         * runtime/JSArrayBufferConstructor.cpp:
2240         (JSC::constructArrayBuffer):
2241         * runtime/JSArrayBufferPrototype.cpp:
2242         (JSC::arrayBufferProtoFuncSlice):
2243         * runtime/JSGenericTypedArrayViewInlines.h:
2244         (JSC::JSGenericTypedArrayView<Adaptor>::create):
2245         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
2246         * runtime/NativeErrorConstructor.cpp:
2247         (JSC::Interpreter::constructWithNativeErrorConstructor):
2248         (JSC::Interpreter::callNativeErrorConstructor):
2249         * runtime/VM.cpp:
2250         (JSC::VM::throwException):
2251         (JSC::appendSourceToError): Moved to Error.cpp
2252         (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
2253         (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
2254         (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): Deleted.
2255         (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): Deleted.
2256         * tests/stress/freeze_leek.js: Added.
2257
2258 2015-04-07  Joseph Pecoraro  <pecoraro@apple.com>
2259
2260         Web Inspector: ES6: Show Symbol properties on Objects
2261         https://bugs.webkit.org/show_bug.cgi?id=141279
2262
2263         Reviewed by Timothy Hatcher.
2264
2265         * inspector/protocol/Runtime.json:
2266         Give PropertyDescriptor a reference to the Symbol RemoteObject
2267         if the property is a symbol property.
2268
2269         * inspector/InjectedScriptSource.js:
2270         Enumerate symbol properties on objects.
2271
2272 2015-04-07  Filip Pizlo  <fpizlo@apple.com>
2273
2274         Make it possible to enable LLVM FastISel
2275         https://bugs.webkit.org/show_bug.cgi?id=143489
2276
2277         Reviewed by Michael Saboff.
2278
2279         The decision to enable FastISel is made by Options.h|cpp, but the LLVM library can disable it if it finds that it is built
2280         against a version of LLVM that doesn't support it. Thereafter, JSC::enableLLVMFastISel is the flag that tells the system
2281         if we should enable it.
2282
2283         * ftl/FTLCompile.cpp:
2284         (JSC::FTL::mmAllocateDataSection):
2285         * llvm/InitializeLLVM.cpp:
2286         (JSC::initializeLLVMImpl):
2287         * llvm/InitializeLLVM.h:
2288         * llvm/InitializeLLVMLinux.cpp:
2289         (JSC::getLLVMInitializerFunction):
2290         (JSC::initializeLLVMImpl): Deleted.
2291         * llvm/InitializeLLVMMac.cpp:
2292         (JSC::getLLVMInitializerFunction):
2293         (JSC::initializeLLVMImpl): Deleted.
2294         * llvm/InitializeLLVMPOSIX.cpp:
2295         (JSC::getLLVMInitializerFunctionPOSIX):
2296         (JSC::initializeLLVMPOSIX): Deleted.
2297         * llvm/InitializeLLVMPOSIX.h:
2298         * llvm/InitializeLLVMWin.cpp:
2299         (JSC::getLLVMInitializerFunction):
2300         (JSC::initializeLLVMImpl): Deleted.
2301         * llvm/LLVMAPI.cpp:
2302         * llvm/LLVMAPI.h:
2303         * llvm/library/LLVMExports.cpp:
2304         (initCommandLine):
2305         (initializeAndGetJSCLLVMAPI):
2306         * runtime/Options.cpp:
2307         (JSC::Options::initialize):
2308
2309 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2310
2311         put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
2312         https://bugs.webkit.org/show_bug.cgi?id=140426
2313
2314         Reviewed by Darin Adler.
2315
2316         In the put_by_val_direct operation, we use JSObject::putDirect.
2317         However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
2318         This patch checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
2319
2320         * dfg/DFGOperations.cpp:
2321         (JSC::DFG::putByVal):
2322         (JSC::DFG::operationPutByValInternal):
2323         * jit/JITOperations.cpp:
2324         * llint/LLIntSlowPaths.cpp:
2325         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2326         * runtime/Identifier.h:
2327         (JSC::isIndex):
2328         (JSC::parseIndex):
2329         * tests/stress/dfg-put-by-val-direct-with-edge-numbers.js: Added.
2330         (lookupWithKey):
2331         (toStringThrowsError.toString):
2332
2333 2015-04-06  Alberto Garcia  <berto@igalia.com>
2334
2335         [GTK] Fix HPPA build
2336         https://bugs.webkit.org/show_bug.cgi?id=143453
2337
2338         Reviewed by Darin Adler.
2339
2340         Add HPPA to the list of supported CPUs.
2341
2342         * CMakeLists.txt:
2343
2344 2015-04-06  Mark Lam  <mark.lam@apple.com>
2345
2346         In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well.
2347         <https://webkit.org/b/143396>
2348
2349         Reviewed by Filip Pizlo.
2350
2351         The DFG was neglecting to set the result boolean.  The FTL was setting it with
2352         an inverted value.  Both of these are now resolved.
2353
2354         * dfg/DFGSpeculativeJIT64.cpp:
2355         (JSC::DFG::SpeculativeJIT::compile):
2356         * ftl/FTLLowerDFGToLLVM.cpp:
2357         (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
2358         * tests/stress/for-in-array-mode.js: Added.
2359         (.):
2360         (test):
2361
2362 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2363
2364         [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
2365         https://bugs.webkit.org/show_bug.cgi?id=143424
2366
2367         Reviewed by Geoffrey Garen.
2368
2369         In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).
2370
2371         ToString(symbol) throws a type error.
2372         However, String(symbol) produces SymbolDescriptiveString(symbol).
2373
2374         So, in DFG and FTL phase, they should not inline StringConstructor to ToString.
2375
2376         Now, in the template literals patch, ToString DFG operation is planned to be used.
2377         And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
2378         So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
2379         In CallStringConstructor, all behavior in DFG analysis is the same.
2380         Only the difference from ToString is, when calling DFG operation functions, it calls
2381         operationCallStringConstructorOnCell and operationCallStringConstructor instead of
2382         operationToStringOnCell and operationToString.
2383
2384         * dfg/DFGAbstractInterpreterInlines.h:
2385         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2386         * dfg/DFGBackwardsPropagationPhase.cpp:
2387         (JSC::DFG::BackwardsPropagationPhase::propagate):
2388         * dfg/DFGByteCodeParser.cpp:
2389         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2390         * dfg/DFGClobberize.h:
2391         (JSC::DFG::clobberize):
2392         * dfg/DFGDoesGC.cpp:
2393         (JSC::DFG::doesGC):
2394         * dfg/DFGFixupPhase.cpp:
2395         (JSC::DFG::FixupPhase::fixupNode):
2396         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
2397         (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
2398         (JSC::DFG::FixupPhase::fixupToString): Deleted.
2399         * dfg/DFGNodeType.h:
2400         * dfg/DFGOperations.cpp:
2401         * dfg/DFGOperations.h:
2402         * dfg/DFGPredictionPropagationPhase.cpp:
2403         (JSC::DFG::PredictionPropagationPhase::propagate):
2404         * dfg/DFGSafeToExecute.h:
2405         (JSC::DFG::safeToExecute):
2406         * dfg/DFGSpeculativeJIT.cpp:
2407         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
2408         (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
2409         * dfg/DFGSpeculativeJIT.h:
2410         * dfg/DFGSpeculativeJIT32_64.cpp:
2411         (JSC::DFG::SpeculativeJIT::compile):
2412         * dfg/DFGSpeculativeJIT64.cpp:
2413         (JSC::DFG::SpeculativeJIT::compile):
2414         * dfg/DFGStructureRegistrationPhase.cpp:
2415         (JSC::DFG::StructureRegistrationPhase::run):
2416         * ftl/FTLCapabilities.cpp:
2417         (JSC::FTL::canCompile):
2418         * ftl/FTLLowerDFGToLLVM.cpp:
2419         (JSC::FTL::LowerDFGToLLVM::compileNode):
2420         (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
2421         (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
2422         * runtime/StringConstructor.cpp:
2423         (JSC::stringConstructor):
2424         (JSC::callStringConstructor):
2425         * runtime/StringConstructor.h:
2426         * tests/stress/symbol-and-string-constructor.js: Added.
2427         (performString):
2428
2429 2015-04-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2430
2431         Return Optional<uint32_t> from PropertyName::asIndex
2432         https://bugs.webkit.org/show_bug.cgi?id=143422
2433
2434         Reviewed by Darin Adler.
2435
2436         PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex.
2437         But it's not obvious to callers.
2438
2439         This patch changes
2440         1. PropertyName::asIndex() to return Optional<uint32_t> and
2441         2. function name `asIndex()` to `parseIndex()`.
2442         It forces callers to check the value is index or not explicitly.
2443
2444         * bytecode/GetByIdStatus.cpp:
2445         (JSC::GetByIdStatus::computeFor):
2446         * bytecode/PutByIdStatus.cpp:
2447         (JSC::PutByIdStatus::computeFor):
2448         * bytecompiler/BytecodeGenerator.cpp:
2449         (JSC::BytecodeGenerator::emitDirectPutById):
2450         * jit/Repatch.cpp:
2451         (JSC::emitPutTransitionStubAndGetOldStructure):
2452         * jsc.cpp:
2453         * runtime/ArrayPrototype.cpp:
2454         (JSC::arrayProtoFuncSort):
2455         * runtime/GenericArgumentsInlines.h:
2456         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2457         (JSC::GenericArguments<Type>::put):
2458         (JSC::GenericArguments<Type>::deleteProperty):
2459         (JSC::GenericArguments<Type>::defineOwnProperty):
2460         * runtime/Identifier.h:
2461         (JSC::parseIndex):
2462         (JSC::Identifier::isSymbol):
2463         * runtime/JSArray.cpp:
2464         (JSC::JSArray::defineOwnProperty):
2465         * runtime/JSCJSValue.cpp:
2466         (JSC::JSValue::putToPrimitive):
2467         * runtime/JSGenericTypedArrayViewInlines.h:
2468         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
2469         (JSC::JSGenericTypedArrayView<Adaptor>::put):
2470         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
2471         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
2472         * runtime/JSObject.cpp:
2473         (JSC::JSObject::put):
2474         (JSC::JSObject::putDirectAccessor):
2475         (JSC::JSObject::putDirectCustomAccessor):
2476         (JSC::JSObject::deleteProperty):
2477         (JSC::JSObject::putDirectMayBeIndex):
2478         (JSC::JSObject::defineOwnProperty):
2479         * runtime/JSObject.h:
2480         (JSC::JSObject::getOwnPropertySlot):
2481         (JSC::JSObject::getPropertySlot):
2482         (JSC::JSObject::putDirectInternal):
2483         * runtime/JSString.cpp:
2484         (JSC::JSString::getStringPropertyDescriptor):
2485         * runtime/JSString.h:
2486         (JSC::JSString::getStringPropertySlot):
2487         * runtime/LiteralParser.cpp:
2488         (JSC::LiteralParser<CharType>::parse):
2489         * runtime/PropertyName.h:
2490         (JSC::parseIndex):
2491         (JSC::toUInt32FromCharacters): Deleted.
2492         (JSC::toUInt32FromStringImpl): Deleted.
2493         (JSC::PropertyName::asIndex): Deleted.
2494         * runtime/PropertyNameArray.cpp:
2495         (JSC::PropertyNameArray::add):
2496         * runtime/StringObject.cpp:
2497         (JSC::StringObject::deleteProperty):
2498         * runtime/Structure.cpp:
2499         (JSC::Structure::prototypeChainMayInterceptStoreTo):
2500
2501 2015-04-05  Andreas Kling  <akling@apple.com>
2502
2503         URI encoding/escaping should use efficient string building instead of calling snprintf().
2504         <https://webkit.org/b/143426>
2505
2506         Reviewed by Gavin Barraclough.
2507
2508         I saw 0.5% of main thread time in snprintf() on <http://polymerlabs.github.io/benchmarks/>
2509         which seemed pretty silly. This change gets that down to nothing in favor of using our
2510         existing JSStringBuilder and HexNumber.h facilities.
2511
2512         These APIs are well-exercised by our existing test suite.
2513
2514         * runtime/JSGlobalObjectFunctions.cpp:
2515         (JSC::encode):
2516         (JSC::globalFuncEscape):
2517
2518 2015-04-05  Masataka Yakura  <masataka.yakura@gmail.com>
2519
2520         documentation for ES Promises points to the wrong one
2521         https://bugs.webkit.org/show_bug.cgi?id=143263
2522
2523         Reviewed by Darin Adler.
2524
2525         * features.json:
2526
2527 2015-04-05  Simon Fraser  <simon.fraser@apple.com>
2528
2529         Remove "go ahead and" from comments
2530         https://bugs.webkit.org/show_bug.cgi?id=143421
2531
2532         Reviewed by Darin Adler, Benjamin Poulain.
2533
2534         Remove the phrase "go ahead and" from comments where it doesn't add
2535         anything (which is almost all of them).
2536
2537         * interpreter/JSStack.cpp:
2538         (JSC::JSStack::growSlowCase):
2539
2540 2015-04-04  Andreas Kling  <akling@apple.com>
2541
2542         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
2543         <https://webkit.org/b/143210>
2544
2545         Reviewed by Geoffrey Garen.
2546
2547         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
2548         we had a little problem where WeakBlocks with only null pointers would still keep their
2549         MarkedBlock alive.
2550
2551         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
2552         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
2553         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
2554         destroying them once they're fully dead.
2555
2556         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
2557         a mysterious issue where doing two full garbage collections back-to-back would free additional
2558         memory in the second collection.
2559
2560         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
2561         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
2562         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
2563
2564         * heap/Heap.h:
2565         * heap/Heap.cpp:
2566         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
2567         owned by Heap, after everything else has been swept.
2568
2569         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
2570         after a full garbage collection ends. Note that we don't do this after Eden collections, since
2571         they are unlikely to cause entire WeakBlocks to go empty.
2572
2573         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
2574         to the Heap when it's detached from a WeakSet.
2575
2576         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
2577         of the logically empty WeakBlocks owned by Heap.
2578
2579         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
2580         and updates the next-logically-empty-weak-block-to-sweep index.
2581
2582         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
2583         won't be another chance after this.
2584
2585         * heap/IncrementalSweeper.h:
2586         (JSC::IncrementalSweeper::hasWork): Deleted.
2587
2588         * heap/IncrementalSweeper.cpp:
2589         (JSC::IncrementalSweeper::fullSweep):
2590         (JSC::IncrementalSweeper::doSweep):
2591         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
2592         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
2593         changed to return a bool (true if there's more work to be done.)
2594
2595         * heap/WeakBlock.cpp:
2596         (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't
2597         contain any pointers to live objects. The answer is stored in a new SweepResult member.
2598
2599         * heap/WeakBlock.h:
2600         (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine
2601         if the WeakBlock could be detached from the MarkedBlock.
2602
2603         (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables
2604         when declaring them.
2605
2606 2015-04-04  Yusuke Suzuki  <utatane.tea@gmail.com>
2607
2608         Implement ES6 Object.getOwnPropertySymbols
2609         https://bugs.webkit.org/show_bug.cgi?id=141106
2610
2611         Reviewed by Geoffrey Garen.
2612
2613         This patch implements `Object.getOwnPropertySymbols`.
2614         One technical issue is that, since we use private symbols (such as `@Object`) in the
2615         privileged JS code in `builtins/`, they should not be exposed.
2616         To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name
2617         before adding it into PropertyNameArray.
2618
2619         To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames`
2620         since all private symbols are held in this map.
2621
2622         * builtins/BuiltinExecutables.cpp:
2623         (JSC::BuiltinExecutables::createExecutableInternal):
2624         * builtins/BuiltinNames.h:
2625         (JSC::BuiltinNames::isPrivateName):
2626         * runtime/CommonIdentifiers.cpp:
2627         (JSC::CommonIdentifiers::isPrivateName):
2628         * runtime/CommonIdentifiers.h:
2629         * runtime/EnumerationMode.h:
2630         (JSC::EnumerationMode::EnumerationMode):
2631         (JSC::EnumerationMode::includeSymbolProperties):
2632         * runtime/ExceptionHelpers.cpp:
2633         (JSC::createUndefinedVariableError):
2634         * runtime/JSGlobalObject.cpp:
2635         (JSC::JSGlobalObject::init):
2636         * runtime/JSLexicalEnvironment.cpp:
2637         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2638         * runtime/JSSymbolTableObject.cpp:
2639         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2640         * runtime/ObjectConstructor.cpp:
2641         (JSC::ObjectConstructor::finishCreation):
2642         (JSC::objectConstructorGetOwnPropertySymbols):
2643         (JSC::defineProperties):
2644         (JSC::objectConstructorSeal):
2645         (JSC::objectConstructorFreeze):
2646         (JSC::objectConstructorIsSealed):
2647         (JSC::objectConstructorIsFrozen):
2648         * runtime/ObjectConstructor.h:
2649         (JSC::ObjectConstructor::create):
2650         * runtime/Structure.cpp:
2651         (JSC::Structure::getPropertyNamesFromStructure):
2652         * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added.
2653         (compare):
2654         * tests/stress/object-get-own-property-symbols.js: Added.
2655         (forIn):
2656         * tests/stress/symbol-define-property.js: Added.
2657         (testSymbol):
2658         * tests/stress/symbol-seal-and-freeze.js: Added.
2659         * tests/stress/symbol-with-json.js: Added.
2660
2661 2015-04-03  Mark Lam  <mark.lam@apple.com>
2662
2663         Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner.
2664         <https://webkit.org/b/143385>
2665
2666         Reviewed by Geoffrey Garen.
2667
2668         For debugging purposes, sometimes, we want to be able to make compilation happen
2669         sooner to see if we can accelerate the manifestation of certain events / bugs.
2670         Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds
2671         which make up the compilation policy.  Let's add a single knob that can tune all
2672         the thresholds up / down in one go proportionately so that we can easily tweak
2673         how soon compilation occurs.
2674
2675         * runtime/Options.cpp:
2676         (JSC::scaleJITPolicy):
2677         (JSC::recomputeDependentOptions):
2678         * runtime/Options.h:
2679
2680 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2681
2682         is* API methods should be @properties
2683         https://bugs.webkit.org/show_bug.cgi?id=143388
2684
2685         Reviewed by Mark Lam.
2686
2687         This appears to be the preferred idiom in WebKit, CA, AppKit, and
2688         Foundation.
2689
2690         * API/JSValue.h: Be @properties.
2691
2692         * API/tests/testapi.mm:
2693         (testObjectiveCAPI): Use the @properties.
2694
2695 2015-04-03  Mark Lam  <mark.lam@apple.com>
2696
2697         Some JSC Options refactoring and enhancements.
2698         <https://webkit.org/b/143384>
2699
2700         Rubber stamped by Benjamin Poulain.
2701
2702         Create a better encapsulated Option class to make working with options easier.  This
2703         is a building block towards a JIT policy scaling debugging option I will introduce later.
2704
2705         This work entails:
2706         1. Convert Options::Option into a public class Option (who works closely with Options).
2707         2. Convert Options::EntryType into an enum class Options::Type and make it public.
2708         3. Renamed Options::OPT_<option name> to Options::<option name>ID because it reads better.
2709         4. Add misc methods to class Option to make it more useable.
2710
2711         * runtime/Options.cpp:
2712         (JSC::Options::dumpOption):
2713         (JSC::Option::dump):
2714         (JSC::Option::operator==):
2715         (JSC::Options::Option::dump): Deleted.
2716         (JSC::Options::Option::operator==): Deleted.
2717         * runtime/Options.h:
2718         (JSC::Option::Option):
2719         (JSC::Option::operator!=):
2720         (JSC::Option::name):
2721         (JSC::Option::description):
2722         (JSC::Option::type):
2723         (JSC::Option::isOverridden):
2724         (JSC::Option::defaultOption):
2725         (JSC::Option::boolVal):
2726         (JSC::Option::unsignedVal):
2727         (JSC::Option::doubleVal):
2728         (JSC::Option::int32Val):
2729         (JSC::Option::optionRangeVal):
2730         (JSC::Option::optionStringVal):
2731         (JSC::Option::gcLogLevelVal):
2732         (JSC::Options::Option::Option): Deleted.
2733         (JSC::Options::Option::operator!=): Deleted.
2734
2735 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2736
2737         JavaScriptCore API should support type checking for Array and Date
2738         https://bugs.webkit.org/show_bug.cgi?id=143324
2739
2740         Follow-up to address a comment by Dan.
2741
2742         * API/WebKitAvailability.h: __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100
2743         is wrong, since this API is available when __MAC_OS_X_VERSION_MIN_REQUIRED
2744         is equal to 101100.
2745
2746 2015-04-03  Geoffrey Garen  <ggaren@apple.com>
2747
2748         JavaScriptCore API should support type checking for Array and Date
2749         https://bugs.webkit.org/show_bug.cgi?id=143324
2750
2751         Follow-up to address a comment by Dan.
2752
2753         * API/WebKitAvailability.h: Do use 10.0 because it was right all along.
2754         Added a comment explaining why.
2755
2756 2015-04-03  Csaba Osztrogonác  <ossy@webkit.org>
2757
2758         FTL JIT tests should fail if LLVM library isn't available
2759         https://bugs.webkit.org/show_bug.cgi?id=143374
2760
2761         Reviewed by Mark Lam.
2762
2763         * dfg/DFGPlan.cpp:
2764         (JSC::DFG::Plan::compileInThreadImpl):
2765         * runtime/Options.h:
2766
2767 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
2768
2769         Fix the EFL and GTK build after r182243
2770         https://bugs.webkit.org/show_bug.cgi?id=143361
2771
2772         Reviewed by Csaba Osztrogonác.
2773
2774         * CMakeLists.txt: InspectorBackendCommands.js is generated in the
2775         DerivedSources/JavaScriptCore/inspector/ directory.
2776
2777 2015-04-03  Zan Dobersek  <zdobersek@igalia.com>
2778
2779         Unreviewed, fixing Clang builds of the GTK port on Linux.
2780
2781         * runtime/Options.cpp:
2782         Include the <math.h> header for isnan().
2783
2784 2015-04-02  Mark Lam  <mark.lam@apple.com>
2785
2786         Enhance ability to dump JSC Options.
2787         <https://webkit.org/b/143357>
2788
2789         Reviewed by Benjamin Poulain.
2790
2791         Some enhancements to how the JSC options work:
2792
2793         1. Add a JSC_showOptions option which take values: 0 = None, 1 = Overridden only,
2794            2 = All, 3 = Verbose.
2795
2796            The default is 0 (None).  This dumps nothing.
2797            With the Overridden setting, at VM initialization time, we will dump all
2798            option values that have been changed from their default.
2799            With the All setting, at VM initialization time, we will dump all option values.
2800            With the Verbose setting, at VM initialization time, we will dump all option
2801            values along with their descriptions (if available).
2802
2803         2. We now store a copy of the default option values.
2804
2805            We later use this for comparison to tell if an option has been overridden, and
2806            print the default value for reference.  As a result, we no longer need the
2807            didOverride flag since we can compute whether the option is overridden at any time.
2808
2809         3. Added description strings to some options to be printed when JSC_showOptions=3 (Verbose).
2810
2811            This will come in handy later when we want to rename some of the options to more sane
2812            names that are easier to remember.  For example, we can change
2813            Options::dfgFunctionWhitelistFile() to Options::dfgWhiteList(), and
2814            Options::slowPathAllocsBetweenGCs() to Options::forcedGcRate().  With the availability
2815            of the description, we can afford to use shorter and less descriptive option names,
2816            but they will be easier to remember and use for day to day debugging work.
2817
2818            In this patch, I did not change the names of any of the options yet.  I only added
2819            description strings for options that I know about, and where I think the option name
2820            isn't already descriptive enough.
2821
2822         4. Also deleted some unused code.
2823
2824         * jsc.cpp:
2825         (CommandLine::parseArguments):
2826         * runtime/Options.cpp:
2827         (JSC::Options::initialize):
2828         (JSC::Options::setOption):
2829         (JSC::Options::dumpAllOptions):
2830         (JSC::Options::dumpOption):
2831         (JSC::Options::Option::dump):
2832         (JSC::Options::Option::operator==):
2833         * runtime/Options.h:
2834         (JSC::OptionRange::rangeString):
2835         (JSC::Options::Option::Option):
2836         (JSC::Options::Option::operator!=):
2837
2838 2015-04-02  Geoffrey Garen  <ggaren@apple.com>
2839
2840         JavaScriptCore API should support type checking for Array and Date
2841         https://bugs.webkit.org/show_bug.cgi?id=143324
2842
2843         Reviewed by Darin Adler, Sam Weinig, Dan Bernstein.
2844
2845         * API/JSValue.h:
2846         * API/JSValue.mm:
2847         (-[JSValue isArray]):
2848         (-[JSValue isDate]): Added an ObjC API.
2849
2850         * API/JSValueRef.cpp:
2851         (JSValueIsArray):
2852         (JSValueIsDate):
2853         * API/JSValueRef.h: Added a C API.
2854
2855         * API/WebKitAvailability.h: Brought our availability macros up to date
2856         and fixed a harmless bug where "10_10" translated to "10.0".
2857
2858         * API/tests/testapi.c:
2859         (main): Added a test and corrected a pre-existing leak.
2860
2861         * API/tests/testapi.mm:
2862         (testObjectiveCAPI): Added a test.
2863
2864 2015-04-02  Mark Lam  <mark.lam@apple.com>
2865
2866         Add Options::dumpSourceAtDFGTime().
2867         <https://webkit.org/b/143349>
2868
2869         Reviewed by Oliver Hunt, and Michael Saboff.
2870
2871         Sometimes, we will want to see the JS source code that we're compiling, and it
2872         would be nice to be able to do this without having to jump thru a lot of hoops.
2873         So, let's add a Options::dumpSourceAtDFGTime() option just like we have a
2874         Options::dumpBytecodeAtDFGTime() option.
2875
2876         Also added versions of CodeBlock::dumpSource() and CodeBlock::dumpBytecode()
2877         that explicitly take no arguments (instead of relying on the version that takes
2878         the default argument).  These versions are friendlier to use when we want to call
2879         them from an interactive debugging session.
2880
2881         * bytecode/CodeBlock.cpp:
2882         (JSC::CodeBlock::dumpSource):
2883         (JSC::CodeBlock::dumpBytecode):
2884         * bytecode/CodeBlock.h:
2885         * dfg/DFGByteCodeParser.cpp:
2886         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2887         * runtime/Options.h:
2888
2889 2015-04-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2890
2891         Clean up EnumerationMode to easily extend
2892         https://bugs.webkit.org/show_bug.cgi?id=143276
2893
2894         Reviewed by Geoffrey Garen.
2895
2896         To make the followings easily,
2897         1. Adding new flag Include/ExcludeSymbols in the Object.getOwnPropertySymbols patch
2898         2. Make ExcludeSymbols implicitly default for the existing flags
2899         we encapsulate EnumerationMode flags into EnumerationMode class.
2900
2901         And this class manages 2 flags. Later it will be extended to 3.
2902         1. DontEnumPropertiesMode (default is Exclude)
2903         2. JSObjectPropertiesMode (default is Include)
2904         3. SymbolPropertiesMode (default is Exclude)
2905             SymbolPropertiesMode will be added in Object.getOwnPropertySymbols patch.
2906
2907         This patch replaces places using ExcludeDontEnumProperties
2908         to EnumerationMode() value which represents default mode.
2909
2910         * API/JSCallbackObjectFunctions.h:
2911         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
2912         * API/JSObjectRef.cpp:
2913         (JSObjectCopyPropertyNames):
2914         * bindings/ScriptValue.cpp:
2915         (Deprecated::jsToInspectorValue):
2916         * bytecode/ObjectAllocationProfile.h:
2917         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2918         * runtime/ArrayPrototype.cpp:
2919         (JSC::arrayProtoFuncSort):
2920         * runtime/EnumerationMode.h:
2921         (JSC::EnumerationMode::EnumerationMode):
2922         (JSC::EnumerationMode::includeDontEnumProperties):
2923         (JSC::EnumerationMode::includeJSObjectProperties):
2924         (JSC::shouldIncludeDontEnumProperties): Deleted.
2925         (JSC::shouldExcludeDontEnumProperties): Deleted.
2926         (JSC::shouldIncludeJSObjectPropertyNames): Deleted.
2927         (JSC::modeThatSkipsJSObject): Deleted.
2928         * runtime/GenericArgumentsInlines.h:
2929         (JSC::GenericArguments<Type>::getOwnPropertyNames):
2930         * runtime/JSArray.cpp:
2931         (JSC::JSArray::getOwnNonIndexPropertyNames):
2932         * runtime/JSArrayBuffer.cpp:
2933         (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
2934         * runtime/JSArrayBufferView.cpp:
2935         (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
2936         * runtime/JSFunction.cpp:
2937         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2938         * runtime/JSFunction.h:
2939         * runtime/JSGenericTypedArrayViewInlines.h:
2940         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
2941         * runtime/JSLexicalEnvironment.cpp:
2942         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
2943         * runtime/JSONObject.cpp:
2944         (JSC::Stringifier::Holder::appendNextProperty):
2945         (JSC::Walker::walk):
2946         * runtime/JSObject.cpp:
2947         (JSC::getClassPropertyNames):
2948         (JSC::JSObject::getOwnPropertyNames):
2949         (JSC::JSObject::getOwnNonIndexPropertyNames):
2950         (JSC::JSObject::getGenericPropertyNames):
2951         * runtime/JSPropertyNameEnumerator.h:
2952         (JSC::propertyNameEnumerator):
2953         * runtime/JSSymbolTableObject.cpp:
2954         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
2955         * runtime/ObjectConstructor.cpp:
2956         (JSC::objectConstructorGetOwnPropertyNames):
2957         (JSC::objectConstructorKeys):
2958         (JSC::defineProperties):
2959         (JSC::objectConstructorSeal):
2960         (JSC::objectConstructorFreeze):
2961         (JSC::objectConstructorIsSealed):
2962         (JSC::objectConstructorIsFrozen):
2963         * runtime/RegExpObject.cpp:
2964         (JSC::RegExpObject::getOwnNonIndexPropertyNames):
2965         (JSC::RegExpObject::getPropertyNames):
2966         (JSC::RegExpObject::getGenericPropertyNames):
2967         * runtime/StringObject.cpp:
2968         (JSC::StringObject::getOwnPropertyNames):
2969         * runtime/Structure.cpp:
2970         (JSC::Structure::getPropertyNamesFromStructure):
2971
2972 2015-04-01  Alex Christensen  <achristensen@webkit.org>
2973
2974         Progress towards CMake on Windows and Mac.
2975         https://bugs.webkit.org/show_bug.cgi?id=143293
2976
2977         Reviewed by Filip Pizlo.
2978
2979         * CMakeLists.txt:
2980         Enabled using assembly on Windows.
2981         Replaced unix commands with CMake commands.
2982         * PlatformMac.cmake:
2983         Tell open source builders where to find unicode headers.
2984
2985 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2986
2987         IteratorClose should be called when jumping over the target for-of loop
2988         https://bugs.webkit.org/show_bug.cgi?id=143140
2989
2990         Reviewed by Geoffrey Garen.
2991
2992         This patch fixes labeled break/continue behaviors with for-of and iterators.
2993
2994         1. Support IteratorClose beyond multiple loop contexts
2995         Previously, IteratorClose is only executed in for-of's breakTarget().
2996         However, this misses IteratorClose execution when statement roll-ups multiple control flow contexts.
2997         For example,
2998         outer: for (var e1 of outer) {
2999             inner: for (var e2 of inner) {
3000                 break outer;
3001             }
3002         }
3003         In this case, return method of inner should be called.
3004         We leverage the existing system for `finally` to execute inner.return method correctly.
3005         Leveraging `finally` system fixes `break`, `continue` and `return` cases.
3006         `throw` case is already supported by emitting try-catch handlers in for-of.
3007
3008         2. Incorrect LabelScope creation is done in ForOfNode
3009         ForOfNode creates duplicated LabelScope.
3010         It causes infinite loop when executing the following program that contains
3011         explicitly labeled for-of loop.
3012         For example,
3013         inner: for (var elm of array) {
3014             continue inner;
3015         }
3016
3017         * bytecompiler/BytecodeGenerator.cpp:
3018         (JSC::BytecodeGenerator::pushFinallyContext):
3019         (JSC::BytecodeGenerator::pushIteratorCloseContext):
3020         (JSC::BytecodeGenerator::popFinallyContext):
3021         (JSC::BytecodeGenerator::popIteratorCloseContext):
3022         (JSC::BytecodeGenerator::emitComplexPopScopes):
3023         (JSC::BytecodeGenerator::emitEnumeration):
3024         (JSC::BytecodeGenerator::emitIteratorClose):
3025         * bytecompiler/BytecodeGenerator.h:
3026         * bytecompiler/NodesCodegen.cpp:
3027         (JSC::ForOfNode::emitBytecode):
3028         * tests/stress/iterator-return-beyond-multiple-iteration-scopes.js: Added.
3029         (createIterator.iterator.return):
3030         (createIterator):
3031         * tests/stress/raise-error-in-iterator-close.js: Added.
3032         (createIterator.iterator.return):
3033         (createIterator):
3034
3035 2015-04-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3036
3037         [ES6] Implement Symbol.unscopables
3038         https://bugs.webkit.org/show_bug.cgi?id=142829
3039
3040         Reviewed by Geoffrey Garen.
3041
3042         This patch introduces Symbol.unscopables functionality.
3043         In ES6, some generic names (like keys, values) are introduced
3044         as Array's method name. And this breaks the web since some web sites
3045         use like the following code.
3046
3047         var values = ...;
3048         with (array) {
3049             values;  // This values is trapped by array's method "values".
3050         }
3051
3052         To fix this, Symbol.unscopables introduces blacklist
3053         for with scope's trapping. When resolving scope,
3054         if name is found in the target scope and the target scope is with scope,
3055         we check Symbol.unscopables object to filter generic names.
3056
3057         This functionality is only active for with scopes.
3058         Global scope does not have unscopables functionality.
3059
3060         And since
3061         1) op_resolve_scope for with scope always return Dynamic resolve type,
3062         2) in that case, JSScope::resolve is always used in JIT and LLInt,
3063         3) the code which contains op_resolve_scope that returns Dynamic cannot be compiled with DFG and FTL,
3064         to implement this functionality, we just change JSScope::resolve and no need to change JIT code.
3065         So performance regression is only visible in Dynamic resolving case, and it is already much slow.
3066
3067         * runtime/ArrayPrototype.cpp:
3068         (JSC::ArrayPrototype::finishCreation):
3069         * runtime/CommonIdentifiers.h:
3070         * runtime/JSGlobalObject.h:
3071         (JSC::JSGlobalObject::runtimeFlags):
3072         * runtime/JSScope.cpp:
3073         (JSC::isUnscopable):
3074         (JSC::JSScope::resolve):
3075         * runtime/JSScope.h:
3076         (JSC::ScopeChainIterator::scope):
3077         * tests/stress/global-environment-does-not-trap-unscopables.js: Added.
3078         (test):
3079         * tests/stress/unscopables.js: Added.
3080         (test):
3081         (.):
3082
3083 2015-03-31  Ryosuke Niwa  <rniwa@webkit.org>
3084
3085         ES6 class syntax should allow static setters and getters
3086         https://bugs.webkit.org/show_bug.cgi?id=143180
3087
3088         Reviewed by Filip Pizlo
3089
3090         Apparently I misread the spec when I initially implemented parseClass.
3091         ES6 class syntax allows static getters and setters so just allow that.
3092
3093         * parser/Parser.cpp:
3094         (JSC::Parser<LexerType>::parseClass):
3095
3096 2015-03-31  Filip Pizlo  <fpizlo@apple.com>
3097
3098         PutClosureVar CSE def() rule has a wrong base
3099         https://bugs.webkit.org/show_bug.cgi?id=143280
3100
3101         Reviewed by Michael Saboff.
3102         
3103         I think that this code was incorrect in a benign way, since the base of a
3104         PutClosureVar is not a JS-visible object. But it was preventing some optimizations.
3105
3106         * dfg/DFGClobberize.h:
3107         (JSC::DFG::clobberize):
3108
3109 2015-03-31  Commit Queue  <commit-queue@webkit.org>
3110
3111         Unreviewed, rolling out r182200.
3112         https://bugs.webkit.org/show_bug.cgi?id=143279
3113
3114         Probably causing assertion extravaganza on bots. (Requested by
3115         kling on #webkit).
3116
3117         Reverted changeset:
3118
3119         "Logically empty WeakBlocks should not pin down their
3120         MarkedBlocks indefinitely."
3121         https://bugs.webkit.org/show_bug.cgi?id=143210
3122         http://trac.webkit.org/changeset/182200
3123
3124 2015-03-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3125
3126         Clean up Identifier factories to clarify the meaning of StringImpl*
3127         https://bugs.webkit.org/show_bug.cgi?id=143146
3128
3129         Reviewed by Filip Pizlo.
3130
3131         In the a lot of places, `Identifier(VM*/ExecState*, StringImpl*)` constructor is used.
3132         However, it's ambiguous because `StringImpl*` has 2 different meanings.
3133         1) normal string, it is replacable with `WTFString` and
3134         2) `uid`, which holds `isSymbol` information to represent Symbols.
3135         So we dropped Identifier constructors for strings and instead, introduced 2 factory functions.
3136         + `Identifier::fromString(VM*/ExecState*, const String&)`.
3137         Just construct Identifier from strings. The symbol-ness of StringImpl* is not kept.
3138         + `Identifier::fromUid(VM*/ExecState*, StringImpl*)`.
3139         This function is used for 2) `uid`. So symbol-ness of `StringImpl*` is kept.
3140
3141         And to clean up `StringImpl` which is used as uid,
3142         we introduce `StringKind` into `StringImpl`. There's 3 kinds
3143         1. StringNormal (non-atomic, non-symbol)
3144         2. StringAtomic (atomic, non-symbol)
3145         3. StringSymbol (non-atomic, symbol)
3146         They are mutually exclusive. And (atomic, symbol) case should not exist.
3147
3148         * API/JSCallbackObjectFunctions.h:
3149         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
3150         * API/JSObjectRef.cpp:
3151         (JSObjectMakeFunction):
3152         * API/OpaqueJSString.cpp:
3153         (OpaqueJSString::identifier):
3154         * bindings/ScriptFunctionCall.cpp:
3155         (Deprecated::ScriptFunctionCall::call):
3156         * builtins/BuiltinExecutables.cpp:
3157         (JSC::BuiltinExecutables::createExecutableInternal):
3158         * builtins/BuiltinNames.h:
3159         (JSC::BuiltinNames::BuiltinNames):
3160         * bytecompiler/BytecodeGenerator.cpp:
3161         (JSC::BytecodeGenerator::BytecodeGenerator):
3162         (JSC::BytecodeGenerator::emitThrowReferenceError):
3163         (JSC::BytecodeGenerator::emitThrowTypeError):
3164         (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
3165         (JSC::BytecodeGenerator::emitEnumeration):
3166         * dfg/DFGDesiredIdentifiers.cpp:
3167         (JSC::DFG::DesiredIdentifiers::reallyAdd):
3168         * inspector/JSInjectedScriptHost.cpp:
3169         (Inspector::JSInjectedScriptHost::functionDetails):
3170         (Inspector::constructInternalProperty):
3171         (Inspector::JSInjectedScriptHost::weakMapEntries):
3172         (Inspector::JSInjectedScriptHost::iteratorEntries):
3173         * inspector/JSInjectedScriptHostPrototype.cpp:
3174         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
3175         * inspector/JSJavaScriptCallFramePrototype.cpp:
3176         * inspector/ScriptCallStackFactory.cpp:
3177         (Inspector::extractSourceInformationFromException):
3178         * jit/JITOperations.cpp:
3179         * jsc.cpp:
3180         (GlobalObject::finishCreation):
3181         (GlobalObject::addFunction):
3182         (GlobalObject::addConstructableFunction):
3183         (functionRun):
3184         (runWithScripts):
3185         * llint/LLIntData.cpp:
3186         (JSC::LLInt::Data::performAssertions):
3187         * llint/LowLevelInterpreter.asm:
3188         * parser/ASTBuilder.h:
3189         (JSC::ASTBuilder::addVar):
3190         * parser/Parser.cpp:
3191         (JSC::Parser<LexerType>::parseInner):
3192         (JSC::Parser<LexerType>::createBindingPattern):
3193         * parser/ParserArena.h:
3194         (JSC::IdentifierArena::makeIdentifier):
3195         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
3196         (JSC::IdentifierArena::makeNumericIdentifier):
3197         * runtime/ArgumentsIteratorPrototype.cpp:
3198         (JSC::ArgumentsIteratorPrototype::finishCreation):
3199         * runtime/ArrayIteratorPrototype.cpp:
3200         (JSC::ArrayIteratorPrototype::finishCreation):
3201         * runtime/ArrayPrototype.cpp:
3202         (JSC::ArrayPrototype::finishCreation):
3203         (JSC::arrayProtoFuncPush):
3204         * runtime/ClonedArguments.cpp:
3205         (JSC::ClonedArguments::getOwnPropertySlot):
3206         * runtime/CommonIdentifiers.cpp:
3207         (JSC::CommonIdentifiers::CommonIdentifiers):
3208         * runtime/CommonIdentifiers.h:
3209         * runtime/Error.cpp:
3210         (JSC::addErrorInfo):
3211         (JSC::hasErrorInfo):
3212         * runtime/ExceptionHelpers.cpp:
3213         (JSC::createUndefinedVariableError):
3214         * runtime/GenericArgumentsInlines.h:
3215         (JSC::GenericArguments<Type>::getOwnPropertySlot):
3216         * runtime/Identifier.h:
3217         (JSC::Identifier::isSymbol):
3218         (JSC::Identifier::Identifier):
3219         (JSC::Identifier::from): Deleted.
3220         * runtime/IdentifierInlines.h:
3221         (JSC::Identifier::Identifier):
3222         (JSC::Identifier::fromUid):
3223         (JSC::Identifier::fromString):
3224         * runtime/JSCJSValue.cpp:
3225         (JSC::JSValue::dumpInContextAssumingStructure):
3226         * runtime/JSCJSValueInlines.h:
3227         (JSC::JSValue::toPropertyKey):
3228         * runtime/JSGlobalObject.cpp:
3229         (JSC::JSGlobalObject::init):
3230         * runtime/JSLexicalEnvironment.cpp:
3231         (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
3232         * runtime/JSObject.cpp:
3233         (JSC::getClassPropertyNames):
3234         (JSC::JSObject::reifyStaticFunctionsForDelete):
3235         * runtime/JSObject.h:
3236         (JSC::makeIdentifier):
3237         * runtime/JSPromiseConstructor.cpp:
3238         (JSC::JSPromiseConstructorFuncRace):
3239         (JSC::JSPromiseConstructorFuncAll):
3240         * runtime/JSString.h:
3241         (JSC::JSString::toIdentifier):
3242         * runtime/JSSymbolTableObject.cpp:
3243         (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
3244         * runtime/LiteralParser.cpp:
3245         (JSC::LiteralParser<CharType>::tryJSONPParse):
3246         (JSC::LiteralParser<CharType>::makeIdentifier):
3247         * runtime/Lookup.h:
3248         (JSC::reifyStaticProperties):
3249         * runtime/MapConstructor.cpp:
3250         (JSC::constructMap):
3251         * runtime/MapIteratorPrototype.cpp:
3252         (JSC::MapIteratorPrototype::finishCreation):
3253         * runtime/MapPrototype.cpp:
3254         (JSC::MapPrototype::finishCreation):
3255         * runtime/MathObject.cpp:
3256         (JSC::MathObject::finishCreation):
3257         * runtime/NumberConstructor.cpp:
3258         (JSC::NumberConstructor::finishCreation):
3259         * runtime/ObjectConstructor.cpp:
3260         (JSC::ObjectConstructor::finishCreation):
3261         * runtime/PrivateName.h:
3262         (JSC::PrivateName::PrivateName):
3263         * runtime/PropertyMapHashTable.h:
3264         (JSC::PropertyTable::find):
3265         (JSC::PropertyTable::get):
3266         * runtime/PropertyName.h:
3267         (JSC::PropertyName::PropertyName):
3268         (JSC::PropertyName::publicName):
3269         (JSC::PropertyName::asIndex):
3270         * runtime/PropertyNameArray.cpp:
3271         (JSC::PropertyNameArray::add):
3272         * runtime/PropertyNameArray.h:
3273         (JSC::PropertyNameArray::addKnownUnique):
3274         * runtime/RegExpConstructor.cpp:
3275         (JSC::RegExpConstructor::finishCreation):
3276         * runtime/SetConstructor.cpp:
3277         (JSC::constructSet):
3278         * runtime/SetIteratorPrototype.cpp:
3279         (JSC::SetIteratorPrototype::finishCreation):
3280         * runtime/SetPrototype.cpp:
3281         (JSC::SetPrototype::finishCreation):
3282         * runtime/StringIteratorPrototype.cpp:
3283         (JSC::StringIteratorPrototype::finishCreation):
3284         * runtime/StringPrototype.cpp:
3285         (JSC::StringPrototype::finishCreation):
3286         * runtime/Structure.cpp:
3287         (JSC::Structure::getPropertyNamesFromStructure):
3288         * runtime/SymbolConstructor.cpp:
3289         * runtime/VM.cpp:
3290         (JSC::VM::throwException):
3291         * runtime/WeakMapConstructor.cpp:
3292         (JSC::constructWeakMap):
3293
3294 2015-03-31  Andreas Kling  <akling@apple.com>
3295
3296         Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely.
3297         <https://webkit.org/b/143210>
3298
3299         Reviewed by Geoffrey Garen.
3300
3301         Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone,
3302         we had a little problem where WeakBlocks with only null pointers would still keep their
3303         MarkedBlock alive.
3304
3305         This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers
3306         that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed
3307         to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC,
3308         destroying them once they're fully dead.
3309
3310         This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves
3311         a mysterious issue where doing two full garbage collections back-to-back would free additional
3312         memory in the second collection.
3313
3314         Management of detached WeakBlocks is implemented as a Vector<WeakBlock*> in Heap, along with
3315         an index of the next block in that vector that needs to be swept. The IncrementalSweeper then
3316         calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time.
3317
3318         * heap/Heap.h:
3319         * heap/Heap.cpp:
3320         (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks
3321         owned by Heap, after everything else has been swept.
3322
3323         (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks
3324         after a full garbage collection ends. Note that we don't do this after Eden collections, since
3325         they are unlikely to cause entire WeakBlocks to go empty.
3326
3327         (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock
3328         to the Heap when it's detached from a WeakSet.
3329
3330         (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all
3331         of the logically empty WeakBlocks owned by Heap.
3332
3333         (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed
3334         and updates the next-logically-empty-weak-block-to-sweep index.
3335
3336         (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there
3337         won't be another chance after this.
3338
3339         * heap/IncrementalSweeper.h:
3340         (JSC::IncrementalSweeper::hasWork): Deleted.
3341
3342         * heap/IncrementalSweeper.cpp:
3343         (JSC::IncrementalSweeper::fullSweep):
3344         (JSC::IncrementalSweeper::doSweep):
3345         (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify
3346         adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is
3347         changed to return a bool (true if there's more work to be done.)